Bjørn Mork wrote:
Herman Øie Kolden <herman@samfundet.no> writes:
On Tue, Mar 14, 2017 at 07:12:28PM -0400, Alan DeKok wrote:
I don't recommend using public CAs for WiFi authentication. It's insecure.
Interesting. Would you mind explaining why?
/usr/share/doc/freeradius/examples/certs/README in the Debian package says
In general, you should use self-signed certificates for 802.1x (EAP) authentication. When you list root CAs from other organizations in the "CA_file", you permit them to masquerade as you, to authenticate your users, and to issue client certificates for EAP-TLS.
Strictly speaking a self-signed certificate is a public-key certificate signed by the private key of the very same key pair (and not by another entity's private key). So while I fully agree with the statement above the term "self-signed certificate" is wrong. It should clearly say that you should run your own single-purpose EAP CA and distribute the EAP CA's public-key certificate in all your client configurations. Ciao, Michael.