[RADIATOR] Certificate Not Trusted - InCommon?

Heikki Vatiainen hvn at open.com.au
Wed Jun 2 15:17:02 UTC 2021 

On 1.6.2021 18.35, Ullfig, Roberto Alfredo wrote:

> This has always been an issue for us. Whenever a user connects for the 
> first time they get "certificate not trusted". Is this because the 
> certificate is issued by:
> 
>          Issuer: C=US, ST=MI, L=Ann Arbor, O=Internet2, OU=InCommon, 
> CN=InCommon RSA Server CA
> 
> So, most (maybe all) devices do not install the InCommon CA? What's the 
> best solution for this? Should users manually install the InCommon CA 
> first before connecting?

Martin already replied about the importance of server chain, so I'll 
just one more thing we have seen also happening:

See the document below and look for 'Trust-On-First-Use' or 'TOFU':

https://www.wi-fi.org/download.php?file=/sites/default/files/private/202012_Wi-Fi_Security_Roadmap_and_WPA3_Updates.pdf

The devices may still prompt the user even if the certificate chain is 
correct. For example, even if the certificate chain is correct, the user 
is required to accept that the name in certificate is something that's 
expected. When this is done, the dialog doesn't re-appear until the 
certificate changes.

I think the exact wording in the dialog is different when the 
certificate chain is not complete as opposed to the case where the chain 
is good but the certificate is now yet known.

To configure Radiator to send intermediate CA certificates, use 
EAPTLS_CertificateChainFile parameter instead of
EAPTLS_CertificateFile parameter. The difference is that 
EAPTLS_CertificateFile contains only the server's certificate. The chain 
file starts with the server's certificate followed by one or more 
intermediate CA certficates. These all need to be in PEM format.

https://files.radiatorsoftware.com/radiator/ref/EAPTLS_CertificateChainFile.html

You may already have the configuration set correctly and it's just the 
TOFU prompts the clients display, but it might be useful to check that 
the chain is correctly configured too.

Thanks,
Heikki


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.

More information about the radiator mailing list