[RADIATOR] iPhones and SSL certificates
hvn at open.com.au
Mon Sep 9 19:27:52 UTC 2019
On 7.9.2019 3.03, Hirayama, Pat wrote:
> So, using Radiator to authenticate our wifi access points, and it has
> been brought to my attention that iPhones show my commercially purchased
> GoDaddy certificate is “Not trusted”. I think this is the relevant part
> of the config file.
> Suggestions or explanations of what I’m doing wrong would be
> appreciated. Oh, and I think I’m running Radiator 1.143 -- it’s pretty
I think the best you can do is to use EAPTLS_CertificateChainFile and
point it to a file that has first the server certificate and then the
intermediate CA certificates you want to send to the client.
Note that "Not trusted" does not necessary mean it's an error. It's just
telling that there's no profile or any other existing trust. This should
also be a one-time dialog, once the certificate is trusted, it should
not pop up the dialog as long as the configuration remains the same.
These things seem to change between client software releases, but I
think this is how it currently works.
If I remember correctly, certificate chain problems trigger a different
dialog that more clearly says that there's a problem.
What you could do is to get apple configuration from Apple's app store
and try creating a profile to see how it changes things. Distributing
the profile is a different matter, but it might be worth seeing how
A quick config note: Only EAPType MSCHAP-V2 is needed in the inner
AuthBy. The other EAPTLS parameters are not needed either in the inner
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
More information about the radiator