Help for buy a real Cert (not self-signed)

[Brian Julin]

> The problem is if you ever let Linux or Android users near your network, they will only connect in an insecure way, at least with EAP-PEAP/MSCHAP.

Linux can be properly configured.  Well, depending on the UI used.  Android may get there in a few years, but hid the necessary tools from the user and ignored the bug report asking for it for a decade, then closed it unresolved.

> I did wonder about making FreeRADIUS keep track of the client MAC addresses it's seen. The first time it sees a new MAC address, it *intentionally* returns a bad certificate, and if authentication completes successfully, it puts the user into a different VLAN so they can be isolated.  However if the client aborts the authentication exchange a couple of times, the server marks the MAC address as good and then starts using the correct certificate, and returns the correct VLAN.

> It would be an interesting project, but I don't have time to implement it :-)

I did play with that a bit... not the first-time-seen part but just randomly sending out a bad cert.  It confused clients horribly.
I'd think you'd want to serve the correct certificate first, so Apples pin it, then after a successful auth or two test them for
compliance.

https://github.com/skids/freeradius-server/commits/clientverify  would get you part way there if you decide to go adventuring.