Freeradius vs Security

Mathieu Simon (Lists) matsimon.lists at
Tue Apr 2 16:01:24 CEST 2019


As Sebastian already wrote (as I was writing this message), many eduroam
institutions - at least european ones for what I can confirm - offer
preconfigured profiles or install wizards through the eduroam CAT
service. These profiles will often both set CA the supplicant should
trust and the server (CN) it should verify: *

This does not prevent users from manually configuring their supplicant
and ignore both CA and CN name on the certificate thus ending up with an
potentially insecure configuration exposing them to the scenario you

CAT makes things often easier for end-users and protects them against
individual misconfiguration, but we can't stop users from hurting
themselves either. ;-)

-- Mathieu

More information about the Freeradius-Users mailing list