On 23 December 2016 at 11:30, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
validates the SSID using certificates, it's not entirely clear how to make sure a fake SSID cannot steal user/pass from clients.
Since you use EAP-TTLS, use a self-signed CA, which signs your server and client certificates, then put the CA certificate onto the client devices. There's a lovely tool called eduroam CAT that does something like that, and Alan B on here has written about the iPhone configurator tool that provides the .mobileconfig for Apple devices (which makes that painless).
How would that be different from using a proper CA signed cert which we already have ?
Does that also mean we can have multiple domains pointing to multiple realms using seperate realms and domain_realm configurations ?
I don't use Kerberos, so I can't comment on that, but in AD environments you can tweak the mschap module's command to either hard-code the domain or take what's provided in the NAI (i.e. DOMAIN\username or username@DOMAIN).
Thats what I've seen as well, was hoping to get confirmation before going down that path. Will explore. Thanks for answering. Regards Henti -- --