2

I have a FreeRADIUS server set up for PEAP/MSCHAPv2 connections with an SQL user backend. On that server, I have set up a Let's encrypt certificate for domain access.example.org. This certificate is valid, both if used for SSL (e.g. for a guest portal) and if used for RADIUS, provided you put in the FQDN of the server (e.g. on Android put access.example.org into "Use system certificates"/"Domain" when connecting to the WiFi).

However, that means a user would always have to put said domain in manually; also, some clients (iOS in particular) don't allow manual domain entry at all.

For reasons outside the scope of this question I cannot pre-provision certificates to any client devices. Is there still a way to allow clients to securely connect to a WPA2-Enterprise secured WiFi network without having to manually "trust" the certificate every time? I recon this would get annoying pretty quickly (aside from being a possible security risk?), especially since the LE cert has to be renewed quite regularly.

Is it possible to allow FreeRADIUS to provide clients with a domain name to validate certificates against? Do I need to include any intermediary certs or something the like?

PiMaker
  • 151
  • 1
  • 5
  • uncertain if that helps you but it might be worth a try regardless of the age: https://discussions.apple.com/thread/6536955?page=3 full qoute from that link: " Jan 8, 2015 4:14 PM in response to beejybone For people who use MDM, I've found the solution : Yes Apple has improved the security in iOS 8. Now, the user can't validate the CA certificate himself. You have to include the CA certificate in the wifi profile if it's a self-signed certificate. After doing this, your CA will be included in the truted certificates database and the handshake will be OK." – Dennis Nolte Dec 18 '18 at 10:15

0 Answers0