Oooh I see now, thanks for the informations, I'll have a deeper look into this ;) My Samba AD is NT-domain style .. :( Thanks very much for your help :) Arnaud Le 10.04.2018 à 11:27, Stefan Winter a écrit :
Hello,
with no problem, means that a box in coming and I've to enter a username/password from my domain users. Once this is made, my username/password are stored and they are not requested anymore. In this case I didn't install any certificate of my computer. That's what I meant with "gaping security hole". An attacker can simply set up a Wi-Fi network with the same SSID and arbitrary RADIUS server, and your computer will happily send your username and password to that rogue attacker when in the vicinity.
In order to achieve security, a client device MUST verify the server-side certificate. And that means installing the CA, mark it as the CA to trust for this particular Wi-Fi network, and pinning the expected server name.
I.e. your perception of you not having a problem is wrong.
There are tools that allow you to specify your deployment details and get an installer that does the right settings out of it. One example is https://802.1x-config.org
For computers registered into the domain, they are several cases :
With windows 10 , I can connect if I do that before entering my username/password to start my session. Once my session started, I can't connect anymore.
For Windows 7, as I can't connect before entering in a session, I tested 2 different situations : 1 with a local account and 1 with a domain account. In both cases I can't connect to my wifi and the certificate error is coming.
My domain is a samba domain so I don't think (but not sure) I can use GPOs for this .. If it's a Samba 4 AD server, you should be able to. If it's a Samba 3 "NT-Domain" style server, then no.
Greetings,
Stefan Winter