On 30/09/16 11:25, Matthew Newton wrote:
Most things will do EAP-TTLS/PAP these days. Windows XP/7 are the only real big exceptions I'm aware of. And if XP is a problem then that's the least of your issues.
I thought Windows 7 *did* support it. (Out of the box, in case that is not crystal clear!) If it does not then it is a definite no-no - definitely lots of users on our network still using W7. I have even found some using XP and Vista in the last few months, although I cannot tell from the Apache logs whether they are wired or wifi.
But then, you should install a client CA root cert with pretty much whichever EAP method you use, otherwise you risk the same problem, to a greater or lesser degree, depending on the inner method. So this is something you should be doing anyway.
As I indicated earlier - this side of things is not really my bag. Mostly, I write code. However I have just looked at the instructions we give to users wishing to connect their Windows 8 machine to the wifi network and have seen this: - Untick “Verify the server’s identity by validating the certificate” So presumably we are at risk of people spoofing the SSID? (although I believe the Aerohive kit has stuff to identify and deal with what they call "rogue" access points).