WPA Enterprise, RADIUS, and Certificate error



  • I have what is probably a dumb question, but after searching I've been unable to solve.

    I purchased a Comodo SSL cert for my pfsense (pf.domain.co). It works great for the WebGUI.

    I have my Unifi setup for WPA-Enterprise validating users against FreeRADIUS running on the pfsense. When connecting the first time, it grabs the correct cert, but it throws up the "This certificate is not trusted" error. I've encountered this on iOS and Mac. For my Android, I have to turn off certificate validation.

    Once I tell it to trust the cert, all is well; but I'd like to eliminate that error altogether if possible

    I would expect this with a self-signed cert, but not a legit cert from Comodo. Cert is not expired.

    Any ideas/advice? I'm in a little over my skiis on this one and Google hasn't helped.

    Thank you!
    -David


  • Netgate Administrator

    What is the cert error that it actually shows?

    Freeradius will be using a self generated cert and CA for the EAP traffic by default. Obviously you can't have the CA for Comodo to generate client certs from.

    Steve



  • @stephenw10

    Under EAP I have the CA set to Comodo that I have setup in certificates, and I use the applicable certificate from Comodo. Unfortunately the error doesn't give much more detail other than untrusted. When I review the certificate, it looks fine and valid to me--correct expiration, correct domain for the certificate.


  • LAYER 8 Netgate

    You must explicitly trust a CA for 802.1X.

    It is not a web browser.

    This is generally done by pushing a policy to the device with a group policy object or similar.

    I would not trust a public CA for this purpose or the devices will trust any authentication server with a certificate signed by that CA.


Log in to reply