OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: GreenMatter on September 08, 2020, 10:15:33 PM

Title: Let’s Encrypt EAP-PEAP WiFi certificate
Post by: GreenMatter on September 08, 2020, 10:15:33 PM
I use Freeradius and I set LE certificate to be used for eap peap authentication. Unfortunately it does show up on iOS devices as untrusted (despite that is trusted on webpage).
Maybe it requires full chain certificate?
Title: Re: Let’s Encrypt EAP-PEAP WiFi certificate
Post by: mimugmail on September 09, 2020, 08:13:47 AM
Why do you want to use LE for such serious service?
Title: Re: Let’s Encrypt EAP-PEAP WiFi certificate
Post by: Fright on September 09, 2020, 10:13:35 AM
GreenMatter, untrusted or not verified?
its how ios works
https://framebyframewifi.net/2017/01/29/use-lets-encrypt-certificates-with-freeradius/
first comments
Title: Re: Let’s Encrypt EAP-PEAP WiFi certificate
Post by: mimugmail on September 09, 2020, 01:07:32 PM
I dont trust it, noone should. If you are really concerned set up a PKI, if you are not, you can still use WPA2 without 802.1X
Title: Re: Let’s Encrypt EAP-PEAP WiFi certificate
Post by: Fright on September 09, 2020, 01:19:15 PM
QuoteI dont trust it, noone should
why?
Title: Re: Let’s Encrypt EAP-PEAP WiFi certificate
Post by: mimugmail on September 09, 2020, 01:23:26 PM
What will you do when this free service is taken down?
Title: Re: Let’s Encrypt EAP-PEAP WiFi certificate
Post by: Fright on September 09, 2020, 01:29:20 PM
will switch to my own PKI (currently use for inside services. for services available via the Internet i use LE)
Title: Re: Let’s Encrypt EAP-PEAP WiFi certificate
Post by: GreenMatter on September 09, 2020, 06:29:22 PM
Quote from: mimugmail on September 09, 2020, 08:13:47 AM
Why do you want to use LE for such serious service?
I wanted to have/use publicly trusted certificate to do not force guest users to accept self signed certificate...


iOS device shown certificate as untrusted, thanks @Fright for link. Have a closer look at it.
Title: Re: Let’s Encrypt EAP-PEAP WiFi certificate
Post by: GreenMatter on September 09, 2020, 07:35:40 PM
One more thing, OSX based computers also show LE certificate as untrusted when is used for Freeradius WiFi validation.


Long story short, it's better to use tailor made, self signed certificate with validity of let's say, 2 years? 😄
Title: Re: Let’s Encrypt EAP-PEAP WiFi certificate
Post by: mimugmail on September 09, 2020, 08:28:42 PM
Guests should use WPA Personal or Open plus captive portal
Title: Re: Let’s Encrypt EAP-PEAP WiFi certificate
Post by: GreenMatter on September 09, 2020, 08:52:53 PM
Quote from: mimugmail on September 09, 2020, 08:28:42 PM
Guests should use WPA Personal or Open plus captive portal
Regardless guests, since users need to accept LE (untrusted) certificate every 2 months, so it is better to use untrusted, self signed certificate with much longer validity...