[RADIATOR] iPhones and SSL certificates

Hirayama, Pat phirayam at fredhutch.org
Tue Sep 10 22:00:01 UTC 2019

Thanks for your suggestion, Heikki.  Having EAPTLS_CertificateChainFile pointing to a file that contains first the server certificate and then the intermediate certificates (with or without the actual root certificate) results in the same behavior.  Certificate is presented to iPhone user as "Not trusted".  

And yes, I know "Not trusted" isn't necessarily an error.  On the other hand, if I train users to just ignore this error, then, they get used to ignoring other warning messages ....

And I don't really have a Mac MDM system to push the cert onto everyone's iPhones -- not that I necessarily want to be touching people's devices.  

Any other ideas or suggestions, or am I just going to have to accept that iPhones will just claim "Not trusted"?  I know that if they trust the certificate ... it'll happen again the next time I renew the certificate as well.  



Pat Hirayama
Systems Engineer / 206.667.4856 / phirayam at fredhutch.org / Fred Hutch / Cures Start Here 
CIT | Advancing IT and Data Services to Accelerate the Elimination of Disease

> -----Original Message-----
> From: radiator <radiator-bounces at lists.open.com.au> On Behalf Of Heikki
> Vatiainen
> Sent: Monday, September 9, 2019 12:28 PM
> To: radiator at lists.open.com.au
> Subject: Re: [RADIATOR] iPhones and SSL certificates
> On 7.9.2019 3.03, Hirayama, Pat wrote:
> > So, using Radiator to authenticate our wifi access points, and it has
> > been brought to my attention that iPhones show my commercially purchased
> > GoDaddy certificate is "Not trusted".  I think this is the relevant part
> > of the config file.
> > Suggestions or explanations of what I'm doing wrong would be
> > appreciated.  Oh, and I think I'm running Radiator 1.143 -- it's pretty
> > old.
> I think the best you can do is to use EAPTLS_CertificateChainFile and
> point it to a file that has first the server certificate and then the
> intermediate CA certificates you want to send to the client.
> Note that "Not trusted" does not necessary mean it's an error. It's just
> telling that there's no profile or any other existing trust. This should
> also be a one-time dialog, once the certificate is trusted, it should
> not pop up the dialog as long as the configuration remains the same.
> These things seem to change between client software releases, but I
> think this is how it currently works.
> If I remember correctly, certificate chain problems trigger a different
> dialog that more clearly says that there's a problem.
> What you could do is to get apple configuration from Apple's app store
> and try creating a profile to see how it changes things. Distributing
> the profile is a different matter, but it might be worth seeing how
> profiles work.
> A quick config note: Only EAPType MSCHAP-V2 is needed in the inner
> AuthBy. The other EAPTLS parameters are not needed either in the inner
> AuthBy.
> Thanks,
> Heikki
> --
> Heikki Vatiainen <hvn at open.com.au>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
> EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__lists.open.com.au_mailman_listinfo_radiator&d=DwIF-
> g&c=eRAMFD45gAfqt84VtBcfhQ&r=lnQBMkNb1mBsioi6aP6ts4Sw0Ua5nVh4esYOAh4qTKU&m
> =mwk172ICc5rESPXEN9u8I-N1FKIAunN9KAolYgGCg-
> U&s=CdojgEJk91SLnVE_7r0f3met34aDJ6CTYJH9IZDsDuE&e=

More information about the radiator mailing list