Re: [RADIATOR] Radiator, WPA2, certificates and untrusted

[A . L . M . Buxey]

Hi,

>Oh man!
> 
>In other words it's a waste of good money to pay for a signed certificate.

for your own internal 802.1X (where you are only directly authenticating your 
own users
(and that includes eg eduroam) - yes.  best practice is to use a self-signed CA 
 (you have the
same issues in getting the Root CA onto the clients but there are tools, some 
free, for that
anyway.


for a public 802.1X system where any person wants to join then there are 2 
arguments - ease of use
(go for well known public CA) or security - use a self-signed CA.   I'd hope 
such a public 802.1X
system (and there are some out there nowand increasing due to eg 
HS2.0/passpoint/802.11u) would
have some configuration system/tool and they should use a self-signed CA - any 
$0.01 script kiddie can 
geta  cert from a well known CA for some $$ and fake your AP/network  :/


alan
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator, WPA2, certificates and untrusted

[Jesper Skou Jensen]

Oh man!

In other words it's a waste of good money to pay for a signed certificate. :(

But thanks for the info, that explains why I couldn't get the bloody thing 
working the way I wanted.


Regards
Jesper


Fra: Ole Frendved Hansen [mailto:o...@dtu.dk]
Sendt: 1. september 2015 17:15
Til: Jesper Skou Jensen
Cc: radiator@open.com.au
Emne: Re: [RADIATOR] Radiator, WPA2, certificates and untrusted

Hi Jesper,

I think this is normal behavior.
In eduroam we install the CA's root-certificate in the client/supplicant. (The 
'eduroam CAT' crafted installer does so).

The clients certificate store is the responsibility of the browser (in a 
laptop).
So, in a web context your server-certificate is said to be click-free 
(automatic acknowledged), if the CA has paid to be included in the default 
collection within the certificate store.

I am not into if wi-fi is able to access those certificate stores on some 
platforms.


Best, Ole
--
ole.frendved.han...@deic.dk<mailto:ole.frendved.han...@deic.dk>
DeIC, Danish e-Infrastructure Cooperation, www.deic.dk<http://www.deic.dk>



Den 01/09/2015 kl. 15.48 skrev Jesper Skou Jensen 
<jesper.skou.jen...@stil.dk<mailto:jesper.skou.jen...@stil.dk>>:


Hello people,

I'm in the process of renewing a certificate for our Radiator setup and I've 
run into a bit of problem.

The problem is that I can't get clients to trust the WPA2 certificate when 
connecting to the network. Eg. Windows 7, an iPhone and probably other clients  
too.

On the iOS I keep getting the message "Not Trusted" when logging on to the 
network the first time and on both Windows and iOS I have to accept the 
certificate before getting logged on.

I'm wondering if that's the way it's supposed to work or if I've done something 
wrong with my Radiator config?


It's a Enterprise WPA2 setup.

Running Radiator version 4.15 on Linux.

The certificate is signed by COMODO and should be trusted by various browsers, 
phones, etc.

The certificate specific part of the radiator configuration is like this:

EAPTLS_CAPath %D/certificates/ca-certs
EAPTLS_CertificateChainFile %D/certificates/server-chain
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/server-key

ca-certs only one file "AddTrustAB.pem" that has the CA Root certificate.
server-key is my private key.
server-chain first has my public key followed by two intermediate certs.


Does that sound about right, or have you got any recommendations?


Regards
Jesper Skou Jensen
___
radiator mailing list
radiator@open.com.au<mailto:radiator@open.com.au>
http://www.open.com.au/mailman/listinfo/radiator

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator, WPA2, certificates and untrusted

[Ole Frendved Hansen]

Hi Jesper,

I think this is normal behavior.
In eduroam we install the CA’s root-certificate in the client/supplicant. (The 
'eduroam CAT’ crafted installer does so).

The clients certificate store is the responsibility of the browser (in a 
laptop).
So, in a web context your server-certificate is said to be click-free 
(automatic acknowledged), if the CA has paid to be included in the default 
collection within the certificate store.

I am not into if wi-fi is able to access those certificate stores on some 
platforms.


Best, Ole
--
ole.frendved.han...@deic.dk
DeIC, Danish e-Infrastructure Cooperation, www.deic.dk




Den 01/09/2015 kl. 15.48 skrev Jesper Skou Jensen :

> Hello people,
> 
> I’m in the process of renewing a certificate for our Radiator setup and I’ve 
> run into a bit of problem.
> 
> The problem is that I can’t get clients to trust the WPA2 certificate when 
> connecting to the network. Eg. Windows 7, an iPhone and probably other 
> clients  too.
> 
> On the iOS I keep getting the message “Not Trusted” when logging on to the 
> network the first time and on both Windows and iOS I have to accept the 
> certificate before getting logged on.
> 
> I’m wondering if that’s the way it’s supposed to work or if I’ve done 
> something wrong with my Radiator config?
> 
> 
> It’s a Enterprise WPA2 setup.
> 
> Running Radiator version 4.15 on Linux.
> 
> The certificate is signed by COMODO and should be trusted by various 
> browsers, phones, etc.
> 
> The certificate specific part of the radiator configuration is like this:
> 
> EAPTLS_CAPath %D/certificates/ca-certs
> EAPTLS_CertificateChainFile %D/certificates/server-chain
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/server-key
> 
> ca-certs only one file “AddTrustAB.pem” that has the CA Root certificate.
> server-key is my private key.
> server-chain first has my public key followed by two intermediate certs.
> 
> 
> Does that sound about right, or have you got any recommendations?
> 
> 
> Regards
> Jesper Skou Jensen
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] Radiator, WPA2, certificates and untrusted

[Jesper Skou Jensen]

Hello people,

I'm in the process of renewing a certificate for our Radiator setup and I've 
run into a bit of problem.

The problem is that I can't get clients to trust the WPA2 certificate when 
connecting to the network. Eg. Windows 7, an iPhone and probably other clients  
too.

On the iOS I keep getting the message "Not Trusted" when logging on to the 
network the first time and on both Windows and iOS I have to accept the 
certificate before getting logged on.

I'm wondering if that's the way it's supposed to work or if I've done something 
wrong with my Radiator config?


It's a Enterprise WPA2 setup.

Running Radiator version 4.15 on Linux.

The certificate is signed by COMODO and should be trusted by various browsers, 
phones, etc.

The certificate specific part of the radiator configuration is like this:

EAPTLS_CAPath %D/certificates/ca-certs
EAPTLS_CertificateChainFile %D/certificates/server-chain
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/server-key

ca-certs only one file "AddTrustAB.pem" that has the CA Root certificate.
server-key is my private key.
server-chain first has my public key followed by two intermediate certs.


Does that sound about right, or have you got any recommendations?


Regards
Jesper Skou Jensen
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator