A Matter of Wireless Trust

For various very good reasons, we’ve recently had to change the the certificate presented by our RADIUS server for the wireless networks. The process of accepting the new certificate was a breeze on the vast majority of systems.
In fact, that was the case for everything except a few OS X systems. Now I should stress that the certificate is signed by a public CA trusted by the machines in question. There’s no good reason the certificate wouldn’t be accepted.
Which the OS X systems would dutifully do, until the user connected a second time. They would then be prompted to accept the certificate again. Something that would happen every single time you connected to the network. As you can imagine, that went down well with end users.
Our first approach to tackling the problem was to find the root, intermediate and server certificate the machine imported and fully trust them. It was hoped that would prevent the pop-ups from occurring. Sadly, no such luck. We still saw alerts from eapol in the system log indicating nothing had changed.
Clearing the wireless network configuration and starting again didn’t help.
The solution to this problem is both confusing and daft. Connect to the network and clear the certificate prompt. Now open up Keychain Manager. Find the certificates in the login keychain (root, intermediate and server) them delete them (right click and select delete from the menu). You’ll be prompted for a password to remove each certificate.
Disconnect from the network and re-connect. You shouldn’t be prompted again.