[RADIATOR] iPhones and SSL certificates
hvn at open.com.au
Thu Sep 12 13:19:45 UTC 2019
On 11/09/2019 1.00, Hirayama, Pat wrote:
> Certificate is presented to iPhone user as "Not trusted".
> And yes, I know "Not trusted" isn't necessarily an error. On the
> other hand, if I train users to just ignore this error, then, they
> get used to ignoring other warning messages ....
Yes, I agree with this. When compared to HTTPS, the browser knows the
name of server it should be talking to; with Wi-Fi, the information
about expected server certificate has to come from somewhere else.
> And I don't really have a Mac MDM system to push the cert onto
> everyone's iPhones -- not that I necessarily want to be touching
> people's devices.
To freshen my memory I took a look at what the "Not Trusted" dialog. It
does show the server name and issuing CA name, but it's hard to tell to
which root CA the certificate chain leads to. In other words, good
instructions with screenshots are likely not enough.
> Any other ideas or suggestions, or am I just going to have to accept
> that iPhones will just claim "Not trusted"? I know that if they
> trust the certificate ... it'll happen again the next time I renew
> the certificate as well.
If you do not want to touch, in serviced fashion, people's devices,
would a self service model with clear instructions with a downloadable
profile be an option?
In other words: the profiles created with Apple Configurator 2 are XML
files that can be made available on a web server. They can even be sent
by email, but installing profiles from email attchment sounds risky.
Assuming profiles on web server, Safri launces a dialog for installing a
profile. The profile must then be separately accepted, so instructions
would be needed, but there's no need to have the devices physically
As an advanced step: Because the profiles are XML, they could be
generated per user to have a Wi-Fi specific username/password created
for each user. A colleaque mentioned it would even be possible to embed
a PKCS12 blob with a certificate and a private key to enable EAP-TLS
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
More information about the radiator