
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

Also this document:</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<a href="https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap" id="LPlnk">https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap</a><br>

</div>

<div class="_Entity _EType_OWALinkPreview _EId_OWALinkPreview _EReadonly_1"></div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

"For wireless clients, the Subject Alternative Name (SubjectAltName) extension contains the server's fully qualified domain name (FQDN)."</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

What is this referring to? Does the SAN for our cert need to match anything, like the server radiator is running on, etc....</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div id="Signature">

<div>

<div></div>

<div id="divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">

<div style="font-family:Tahoma; font-size:13px">---

<div><span id="ms-rterangepaste-start"></span><span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Roberto Ullfig - rullfig@uic.edu</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Systems Administrator</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Enterprise Applications & Services | Technology Solutions</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">University of Illinois - Chicago</span>

<div><span id="ms-rterangepaste-end"></span></div>

</div>

</div>

</div>

</div>

</div>

</div>

<div id="appendonsend"></div>

<hr style="display:inline-block;width:98%" tabindex="-1">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> radiator <radiator-bounces@lists.open.com.au> on behalf of Ullfig, Roberto Alfredo <rullfig@uic.edu><br>

<b>Sent:</b> Wednesday, June 2, 2021 10:38 AM<br>

<b>To:</b> Heikki Vatiainen <hvn@open.com.au>; radiator@lists.open.com.au <radiator@lists.open.com.au><br>

<b>Subject:</b> Re: [RADIATOR] Certificate Not Trusted - InCommon?</font>

<div> </div>

</div>

<style type="text/css" style="display:none">

<!--

p

        {margin-top:0;

        margin-bottom:0}

-->

</style>

<div dir="ltr">

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

We are using these options:</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<div>                EAPTLS_CAFile </div>

<div>                EAPTLS_CertificateFile</div>

<div><br>

</div>

<div>So we should use:</div>

<div><br>

</div>

<div><span style="font-size:14.6667px; background-color:rgb(255,255,255); display:inline!important">EAPTLS_CertificateChainFile</span><br>

</div>

<div><span style="font-size:14.6667px; background-color:rgb(255,255,255); display:inline!important"><br>

</span></div>

<div><span style="font-size:14.6667px; background-color:rgb(255,255,255); display:inline!important">with all certs in it? There are two intermediate certs - does their order matter?</span></div>

</div>

<div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div id="x_Signature">

<div>

<div></div>

<div id="x_divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">

<div style="font-family:Tahoma; font-size:13px">---

<div><span id="x_ms-rterangepaste-start"></span><span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Roberto Ullfig - rullfig@uic.edu</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Systems Administrator</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Enterprise Applications & Services | Technology Solutions</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">University of Illinois - Chicago</span>

<div><span id="x_ms-rterangepaste-end"></span></div>

</div>

</div>

</div>

</div>

</div>

</div>

<div id="x_appendonsend"></div>

<hr tabindex="-1" style="display:inline-block; width:98%">

<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> radiator <radiator-bounces@lists.open.com.au> on behalf of Heikki Vatiainen <hvn@open.com.au><br>

<b>Sent:</b> Wednesday, June 2, 2021 10:17 AM<br>

<b>To:</b> radiator@lists.open.com.au <radiator@lists.open.com.au><br>

<b>Subject:</b> Re: [RADIATOR] Certificate Not Trusted - InCommon?</font>

<div> </div>

</div>

<div class="x_BodyFragment"><font size="2"><span style="font-size:11pt">

<div class="x_PlainText">On 1.6.2021 18.35, Ullfig, Roberto Alfredo wrote:<br>

<br>

> This has always been an issue for us. Whenever a user connects for the <br>

> first time they get "certificate not trusted". Is this because the <br>

> certificate is issued by:<br>

> <br>

>          Issuer: C=US, ST=MI, L=Ann Arbor, O=Internet2, OU=InCommon, <br>

> CN=InCommon RSA Server CA<br>

> <br>

> So, most (maybe all) devices do not install the InCommon CA? What's the <br>

> best solution for this? Should users manually install the InCommon CA <br>

> first before connecting?<br>

<br>

Martin already replied about the importance of server chain, so I'll <br>

just one more thing we have seen also happening:<br>

<br>

See the document below and look for 'Trust-On-First-Use' or 'TOFU':<br>

<br>

<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.wi-fi.org%2Fdownload.php%3Ffile%3D%2Fsites%2Fdefault%2Ffiles%2Fprivate%2F202012_Wi-Fi_Security_Roadmap_and_WPA3_Updates.pdf&data=04%7C01%7Crullfig%40uic.edu%7C4b7071ac392a4c89577408d925dc8c00%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637582451449730748%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ldtOmCBhvNam3XWVZeKfO%2BVU4HWjdSyh3CVUPZ5peAA%3D&reserved=0" originalsrc="https://www.wi-fi.org/download.php?file=/sites/default/files/private/202012_Wi-Fi_Security_Roadmap_and_WPA3_Updates.pdf" shash="i6X0VEd8nAJEvlpXASuvGwCJ3Rjy8sX8i5P2h+oiix1FB2HmB3VWVoiV6CGH3txDD6LQOSnUTbOty8oanIyVbnpCdH5vq2O40pIlrZoIBKsybrLeugW6jH9sDRPbXOzhYYjhbahRJIUOvo8HdjIX4u03ol3otUK/j4qrs5HK304=">https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.wi-fi.org%2Fdownload.php%3Ffile%3D%2Fsites%2Fdefault%2Ffiles%2Fprivate%2F202012_Wi-Fi_Security_Roadmap_and_WPA3_Updates.pdf&amp;data=04%7C01%7Crullfig%40uic.edu%7C3e368f43fccf490a0caa08d925da7800%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637582443563771759%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=SWK07irLsCEDGzgAX03o3bgFETTlUh0eW3LjnB6D3rA%3D&amp;reserved=0</a><br>

<br>

The devices may still prompt the user even if the certificate chain is <br>

correct. For example, even if the certificate chain is correct, the user <br>

is required to accept that the name in certificate is something that's <br>

expected. When this is done, the dialog doesn't re-appear until the <br>

certificate changes.<br>

<br>

I think the exact wording in the dialog is different when the <br>

certificate chain is not complete as opposed to the case where the chain <br>

is good but the certificate is now yet known.<br>

<br>

To configure Radiator to send intermediate CA certificates, use <br>

EAPTLS_CertificateChainFile parameter instead of<br>

EAPTLS_CertificateFile parameter. The difference is that <br>

EAPTLS_CertificateFile contains only the server's certificate. The chain <br>

file starts with the server's certificate followed by one or more <br>

intermediate CA certficates. These all need to be in PEM format.<br>

<br>

<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.radiatorsoftware.com%2Fradiator%2Fref%2FEAPTLS_CertificateChainFile.html&data=04%7C01%7Crullfig%40uic.edu%7C4b7071ac392a4c89577408d925dc8c00%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637582451449730748%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=R4oZA7dCSCyW3IxYXHNPxupTSxmxdiG2r%2FwOnsH4J8k%3D&reserved=0" originalsrc="https://files.radiatorsoftware.com/radiator/ref/EAPTLS_CertificateChainFile.html" shash="dWViQlj0cEHnwBlDiwQhy2EF2wmZdkm3P8/XNleWFwYe+UYtn8m+bG23q6LOwN3mdhvk+8Q78YA8xfk4BfOsATnYIgW//Mq/hJf4Wc4+suS4CzOR18Rc2zJrMTXx/g/9M+L3ITsGZQ5yaTnV2AYiCNBS5KSGsGT1ayMkQcK4vA8=">https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.radiatorsoftware.com%2Fradiator%2Fref%2FEAPTLS_CertificateChainFile.html&amp;data=04%7C01%7Crullfig%40uic.edu%7C3e368f43fccf490a0caa08d925da7800%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637582443563771759%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=LUSjH0v5yXLF83vCMtVfmpvuccZ84D2QPfZ3XyHWBKs%3D&amp;reserved=0</a><br>

<br>

You may already have the configuration set correctly and it's just the <br>

TOFU prompts the clients display, but it might be useful to check that <br>

the chain is correctly configured too.<br>

<br>

Thanks,<br>

Heikki<br>

<br>

<br>

-- <br>

Heikki Vatiainen <hvn@open.com.au><br>

<br>

Radiator: the most portable, flexible and configurable RADIUS server<br>

anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,<br>

EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,<br>

DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.<br>

_______________________________________________<br>

radiator mailing list<br>

radiator@lists.open.com.au<br>

<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C4b7071ac392a4c89577408d925dc8c00%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637582451449740701%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=vOrgN9hy8EHU%2BgZI6OTvulqHPHTwUu5P3YtUaZazkCs%3D&reserved=0" originalsrc="https://lists.open.com.au/mailman/listinfo/radiator" shash="sQRutR6XSrz+R9DanIOVwust7dk1QqsIb1inQlxdfXWikl2X+WcrxvbE2oa7V+RXGCILbGLmp46T7uILDsMIBTiQIWEiyNQ+tus3yMu/no4wIW4ziAG9iHy26r070vScZjIaSF61z57a4xYOVweYSwyWG5XdQYOHlyAYGkaTinY=">https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&amp;data=04%7C01%7Crullfig%40uic.edu%7C3e368f43fccf490a0caa08d925da7800%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637582443563771759%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=Oz8XIAEHMj5JBC5EGY64tgMo14Mpu8qIskYY1Z847bw%3D&amp;reserved=0</a><br>

</div>

</span></font></div>

</div>

</body>

</html>