Help for buy a real Cert (not self-signed)

Alan Buxey alan.buxey at gmail.com
Thu May 4 00:02:36 CEST 2017 

the error is dependant on the version of Android and is no longer an
issue (IIRC) in latest versions.   the error would pop back up after a
reboot on those phones 'affected' - its a Googleism - and wrong of
them to treat eg enterprise intranet CAs etc in this way.

alan

On 3 May 2017 at 19:54, Brian Candler <b.candler at pobox.com> wrote:
> On 30/01/2017 15:52, Brian Candler wrote:
>>
>> On 30/01/2017 11:51, Spider s wrote:
>>>
>>> And now my questions, first I have got running my freeradius installation
>>> 3.10 on ubuntu) with AD Auth, but with limitations, because I need
>>> install
>>> my self-signed cert on all device for connect to wifi.
>>>
>>> I don’t want this (I don’t want install the certs), and I need buy a real
>>> cert for a real CA, I know ,but I never buy one for this.
>>
>>
>> I've been down this path, and I'm afraid you'll find it's a dead end.
>>
>> The problem is that some clients (specifically Android and Linux) have no
>> way to bind a particular SSID to a particular certificate *identity*.  They
>> will accept any certificate signed by the selected CA.
>>
>> What it means is, you are forced to create a throw-away CA purely for
>> RADIUS use. Even if you run your own existing private CA, you can't use it:
>> that's because anyone who has a certificate from your CA would be able to
>> set up a rogue access point and intercept everyone else's traffic.
>
>
> There's an additional issue.
>
> In Android, if you install your own trusted CA, then every time your phone
> boots up you get a scary notification saying "Network May Be Monitored by an
> unknown third party". If you click on it, it then says "A third party is
> capable of monitoring your network activity, including emails, apps and
> secure websites."
>
> If you dismiss it, it comes back after a few days or weeks.
>
> Googling around, the only ways I can find to disable this involve rooting
> your phone - which is not exactly in the spirit of maintaining good security
> - or deleting the cert, which gets you back to square one, with the very
> real risk that people will connect to your network with *no* cert validation
> at all.
>
> Does anyone have a way around this? Or do we just have to train users to
> ignore this error?
>
> Regards,
>
> Brian.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list