[RADIATOR] iPhones and SSL certificates

[Heikki Vatiainen]

On 7.9.2019 3.03, Hirayama, Pat wrote:

> So, using Radiator to authenticate our wifi access points, and it has 
> been brought to my attention that iPhones show my commercially purchased 
> GoDaddy certificate is “Not trusted”.  I think this is the relevant part 
> of the config file.

> Suggestions or explanations of what I’m doing wrong would be 
> appreciated.  Oh, and I think I’m running Radiator 1.143 -- it’s pretty 
> old.

I think the best you can do is to use EAPTLS_CertificateChainFile and 
point it to a file that has first the server certificate and then the 
intermediate CA certificates you want to send to the client.

Note that "Not trusted" does not necessary mean it's an error. It's just 
telling that there's no profile or any other existing trust. This should 
also be a one-time dialog, once the certificate is trusted, it should 
not pop up the dialog as long as the configuration remains the same. 
These things seem to change between client software releases, but I 
think this is how it currently works.

If I remember correctly, certificate chain problems trigger a different 
dialog that more clearly says that there's a problem.

What you could do is to get apple configuration from Apple's app store 
and try creating a profile to see how it changes things. Distributing 
the profile is a different matter, but it might be worth seeing how 
profiles work.

A quick config note: Only EAPType MSCHAP-V2 is needed in the inner 
AuthBy. The other EAPTLS parameters are not needed either in the inner 
AuthBy.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.