On 01/02/2017 10:01, Spider s wrote:
Hello, thank you for you advise, but the problem is that i use active directory for auth, but olds printers and AP cant install the certs. Access Points don't have, or even check, certificates. The certificate goes in the RADIUS server and the EAP messages are forwarded end-to-end:
client <----------> access point <-----------> RADIUS < . . . . . . EAP request . . . . . . > server So there's zero problem with old APs. I'm not sure what you mean by printers in this context. Why would it need a certificate? Are you saying that you have a wireless printer, which *does* support WPA-Enterprise with EAP-PEAP/MSCHAPv2 for wireless access, but has a hard-coded set of root certificates?? I have never seen such a printer. I'd guess it's probably insecure anyway and doesn't check the root certificate at all. Try it. And if it doesn't work, connect it with an ethernet cable instead.
I need a solution for the users and dont need install the cert if possible. Your users will be able to connect without the cert; they'll just click through a few prompts. But it will be totally insecure.
Using a certificate from a trusted CA *doesn't help*, because they'll still have to click through a bunch of prompts in order to connect, and they won't be able to distinguish your signed cert from someone else's signed cert. For example, say I legitimately own the domain "evil.com". I buy a certificate for "wireless.evil.com". I set up an access point with your SSID. Your clients attach to it, and they will happily send me their passwords, and I will happily man-in-the-middle all their network traffic. They will only refuse to talk to my evil access point if either: 1. They have been configured to recognise only a specific named certificate, e.g. "wireless.yourdomain.com". This requires explicit configuration. Or: 2. They have been configured only to accept a certificate signed by a private CA which you have set up. This requires explicit configuration. In both cases, it's only secure if you do the explicit configuration, which means creating a profile which you load into their device. So you may as well learn how to do it. Option 1 is not available for Android and Linux clients. So you are forced to option 2.
I am not lazy to install certs, is a problem for easy usage of users and full compatibility.
I know what you mean, I wish this was sane - it would be great if everyone used FQDNs for SSIDs, and clients matched the SSID to the certificate identity. Unfortunately, it's not sane. Welcome to the real world. Regards, Brian.