Hi, > RADIUS certificates for EAP should ALMOST ALWAYS be self-signed. That > means that no one else can successfully convince the users to send them > the passwords. seconded/thirded. as UK eduroam support I agree that such a closed-loop system provides a better protection. though more config and deployment pains, certainly ;-) alan