validates the SSID using certificates, it's not entirely clear how to make sure a fake SSID cannot steal user/pass from clients.
Since you use EAP-TTLS, use a self-signed CA, which signs your server and client certificates, then put the CA certificate onto the client devices. There's a lovely tool called eduroam CAT that does something like that, and Alan B on here has written about the iPhone configurator tool that provides the .mobileconfig for Apple devices (which makes that painless).
Does that also mean we can have multiple domains pointing to multiple realms using seperate realms and domain_realm configurations ?
I don't use Kerberos, so I can't comment on that, but in AD environments you can tweak the mschap module's command to either hard-code the domain or take what's provided in the NAI (i.e. DOMAIN\username or username@DOMAIN). Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.