Hi, our solution is to "force" our users to use an installer for their settings. There is a free version of this kind of installer available here: <https://cat.eduroam.org/> This installer installs the root certificate in the certificate chain and configures the client so that it actually checks the validity of the certificate the RADIUS server presents – especially Android devices don't usually do that. --On 2. April 2019 um 10:32:17 -0300 Andre Forigato <andre.forigato@rnp.br> wrote:
I need to share information about the safety of Eduroam.
If a hacker installs an access point with the name of Eduroam, and this access point points to a Freeradius server, it is possible that the malicious person sees all the logins and passwords in the Freeradius logs.
How to avoid this situation? Should user institutions force their students to use personal certificates? (certificate issued by the institution itself to its students)
Reaffirming that the idea here is how to make users of university institutions not fall into the trap of malicious people. Anyone can set up an access point pointing to a fake freeradius server. And these malicious people can get the username and password from all the devices that connect to the Eduroam access point.
How can we solve this problem?
-- .:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:. .:.Regionales Rechenzentrum (RRZK).:. .:.Universität zu Köln / Cologne University - ✆ +49-221-470-89578.:.