
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

I googled this TOFU design</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<a href="https://en.wikipedia.org/wiki/Trust_on_first_use" id="LPlnk">https://en.wikipedia.org/wiki/Trust_on_first_use</a><br>

</div>

<div class="_Entity _EType_OWALinkPreview _EId_OWALinkPreview _EReadonly_1"></div>

<br>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<a href="https://security.stackexchange.com/questions/178909/my-school-wifi-asks-to-trust-a-certificate-on-iphones-does-this-allow-them-to" id="LPlnk745009">https://security.stackexchange.com/questions/178909/my-school-wifi-asks-to-trust-a-certificate-on-iphones-does-this-allow-them-to</a><br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<a href="https://communications.financials.utexas.edu/news/new-wifi-certificate-starting-july-14" id="LPlnk">https://communications.financials.utexas.edu/news/new-wifi-certificate-starting-july-14</a><br>

</div>

<div class="_Entity _EType_OWALinkPreview _EId_OWALinkPreview_1 _EReadonly_1"></div>

<br>

<div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

and it would appear that it's normal but our management wants to get rid of the prompt because there's an open (no auth) wifi pilot SSID on campus where that trust prompt never appears so they think it's a problem with our service. Is there a more official

 paper I can point them at to convince them that this TOFU is ok? Thanks!</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div id="Signature">

<div>

<div></div>

<div id="divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">

<div style="font-family:Tahoma; font-size:13px">---

<div><span id="ms-rterangepaste-start"></span><span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Roberto Ullfig - rullfig@uic.edu</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Systems Administrator</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Enterprise Applications & Services | Technology Solutions</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">University of Illinois - Chicago</span>

<div><span id="ms-rterangepaste-end"></span></div>

</div>

</div>

</div>

</div>

</div>

</div>

<div id="appendonsend"></div>

<hr style="display:inline-block;width:98%" tabindex="-1">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> radiator <radiator-bounces@lists.open.com.au> on behalf of Ullfig, Roberto Alfredo <rullfig@uic.edu><br>

<b>Sent:</b> Wednesday, June 2, 2021 1:37 PM<br>

<b>To:</b> radiator@lists.open.com.au <radiator@lists.open.com.au><br>

<b>Subject:</b> Re: [RADIATOR] Certificate Not Trusted - InCommon?</font>

<div> </div>

</div>

<style type="text/css" style="display:none">

<!--

p

        {margin-top:0;

        margin-bottom:0}

-->

</style>

<div dir="ltr">

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

trying to use EAPTLS_CertificateChainFile does not work - we are running 4.16 - these errors appear when a user attempts to connect:</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

Wed Jun  2 13:32:22 2021: ERR: TLS could not load_verify_locations , :  16422: 1 - error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library

<div> 16422: 2 - error:25070067:DSO support routines:DSO_load:could not load the shared library</div>

<div> 16422: 3 - error:260B6084:engine routines:DYNAMIC_LOAD:dso not found</div>

 16422: 4 - error:2606A074:engine routines:ENGINE_by_id:no such engine<br>

</div>

<div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div id="x_Signature">

<div>

<div></div>

<div id="x_divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">

<div style="font-family:Tahoma; font-size:13px">---

<div><span id="x_ms-rterangepaste-start"></span><span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Roberto Ullfig - rullfig@uic.edu</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Systems Administrator</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Enterprise Applications & Services | Technology Solutions</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">University of Illinois - Chicago</span>

<div><span id="x_ms-rterangepaste-end"></span></div>

</div>

</div>

</div>

</div>

</div>

</div>

<div id="x_appendonsend"></div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<hr tabindex="-1" style="display:inline-block; width:98%">

<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> radiator <radiator-bounces@lists.open.com.au> on behalf of Heikki Vatiainen <hvn@open.com.au><br>

<b>Sent:</b> Wednesday, June 2, 2021 11:26 AM<br>

<b>To:</b> radiator@lists.open.com.au <radiator@lists.open.com.au><br>

<b>Subject:</b> Re: [RADIATOR] Certificate Not Trusted - InCommon?</font>

<div> </div>

</div>

<div class="x_BodyFragment"><font size="2"><span style="font-size:11pt">

<div class="x_PlainText">On 2.6.2021 18.42, Ullfig, Roberto Alfredo wrote:<br>

<br>

> Also this document:<br>

> <br>

> <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fnetworking%2Fcertificate-requirements-eap-tls-peap&data=04%7C01%7Crullfig%40uic.edu%7Cca6419961a4f4471dbc008d925f59c77%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637582559532510025%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=GGpw0XrmSHCwxuwdR2xoOInBA1AyE19B03QHAcSMDdk%3D&reserved=0" originalsrc="https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap" shash="oWyfdcGHdcFQevMqwB2l05ecN5QDj/3U/BPrrDgpR+ASm/MXnZMQmzWGr5+n2UVYKczbkPp+nqCvKZ9uFeBeVBtfvChnq5DEM7jzu9LsYhV7AedUGxr+IBmzYLIf5EDPKqh/dQYWRA8oqFVM67Shc3V5QTWR7NBOW70DfjefmfI=">

https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fnetworking%2Fcertificate-requirements-eap-tls-peap&amp;data=04%7C01%7Crullfig%40uic.edu%7Cc2d346b461cb402e370708d925e34d4d%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637582480450282431%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=y3hMSGoZ5IMy8bpKzVXFT7QTof15NWUQLhqf8UWGyAg%3D&amp;reserved=0</a>

<br>

> <br>

> "For wireless clients, the Subject Alternative Name (SubjectAltName) <br>

> extension contains the server's fully qualified domain name (FQDN)."<br>

> <br>

> What is this referring to? Does the SAN for our cert need to match <br>

> anything, like the server radiator is running on, etc....<br>

<br>

When profiles are provisioned AD policies or other tools, they set the <br>

WLAN name, expected CA certificates and the expected name in the RADIUS <br>

server's certificate (and possible other information). It seems the name <br>

in a profile is expected to be in SAN when TLS based EAP authentication <br>

is done.<br>

<br>

With HTTPS the browser knows from the URL the expected name of the web <br>

server and the certificate name validation is based on that. With, for <br>

example PEAP, the name is part of the profile settings, or manual <br>

configuration. The client knows from its configuration settings this <br>

configuration and that's what the SAN of your cert needs to match.<br>

<br>

There's no need for the SAN to match the name of the server Radiator <br>

runs on. If you have multiple Radius servers for redundancy purposes, <br>

the can use the same certificate or different certificates. In the <br>

latter case, the profile or other configuration must know about the both <br>

names or otherwise the client devices will start prompting about uknown <br>

or untrusted certificate.<br>

<br>

Getting back to Trust-On-First-Use (TOFU), if you have a profile, then <br>

there should be no TOFU triggered prompts because the trust settings are <br>

already defined.<br>

<br>

Thanks,<br>

Heikki<br>

<br>

<br>

-- <br>

Heikki Vatiainen <hvn@open.com.au><br>

<br>

Radiator: the most portable, flexible and configurable RADIUS server<br>

anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,<br>

EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,<br>

DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.<br>

_______________________________________________<br>

radiator mailing list<br>

radiator@lists.open.com.au<br>

<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7Cca6419961a4f4471dbc008d925f59c77%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637582559532519987%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=B8o7sKAiv8n0QgLvOIOOfQP2R7eMFKUAOVN27p3SqOE%3D&reserved=0" originalsrc="https://lists.open.com.au/mailman/listinfo/radiator" shash="ROHf7Twp7lmEuDva267j47U/K6/5ZT47uJusFVfx1uG5X3aa3Y+sKoK/GlSSNMGcVdY55dQKT3KNP5dX1diH8h+mqXfVB8A2onJa7r8Po50zMVURF7XMv3UtHC4WTOTV4biqgRWgvwctUkM+P+i00zLG7bu4GEbyjrgrtWP70ps=">https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&amp;data=04%7C01%7Crullfig%40uic.edu%7Cc2d346b461cb402e370708d925e34d4d%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637582480450282431%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=mdsfwcsBuNipMTJ4thg1CY4xmbwm6j%2FFKPnxMOoZ8ow%3D&amp;reserved=0</a><br>

</div>

</span></font></div>

</div>

</body>

</html>