iOS mysterious issues on Freeradius 3.0.14

[Alan DeKok]

> On Mar 23, 2017, at 5:29 AM, Peter Hutchison <p.j.hutchison at hud.ac.uk> wrote:
> 
> 
>> I've read a lot messages in Freeradius Forum and I continued misunderstand why iOS devices (iPhone, iPad) doesn't connect in my >WPA-Enterprise wifi network. I've installed and configured a freeradius server, version 3.0.14, over openssl 1.1.0e (both have >installed from sources on Debian 8). I've tested connect Android devices to my wifi network and everytime they can connect to >the network, but iOS devices have mysterious issues.
> 
> With PEAP you should *always* use Publicly recognised TLS/SSL certificates, preferably with a well-known CA source or one that your University supports.

  We've been recommending to NOT do this for well over a decade.

  The problem is that the CA will issue certificates to *anyone*.  And anyone can put up an SSID, and use a certificate signed by that CA.  With sufficient (i.e. minor) hacks, they can even have the certificate use your university DNS name.

  This is because the client generally remembers the CA, and *not* the server certificate associated with the SSID.

  The end user then happily hands his inner credentials (i.e. MS-CHAPv2) to a random person on the net, who then cracks them in about 10 minutes.

  Supplicant vendors are getting better at catching this, but even if they throw up a warning saying "New RADIUS server certificate!", 99% of users will just click through it.

  By using a self-signed CA, this issue is largely avoided.  Users can't generally click through warning prompts, they have to install the CA cert, and enable it for that SSID.

  Alan DeKok.