On 30/01/2017 15:52, Brian Candler wrote:
On 30/01/2017 11:51, Spider s wrote:
And now my questions, first I have got running my freeradius installation 3.10 on ubuntu) with AD Auth, but with limitations, because I need install my self-signed cert on all device for connect to wifi.
I don’t want this (I don’t want install the certs), and I need buy a real cert for a real CA, I know ,but I never buy one for this.
I've been down this path, and I'm afraid you'll find it's a dead end.
The problem is that some clients (specifically Android and Linux) have no way to bind a particular SSID to a particular certificate *identity*. They will accept any certificate signed by the selected CA.
What it means is, you are forced to create a throw-away CA purely for RADIUS use. Even if you run your own existing private CA, you can't use it: that's because anyone who has a certificate from your CA would be able to set up a rogue access point and intercept everyone else's traffic.
There's an additional issue. In Android, if you install your own trusted CA, then every time your phone boots up you get a scary notification saying "Network May Be Monitored by an unknown third party". If you click on it, it then says "A third party is capable of monitoring your network activity, including emails, apps and secure websites." If you dismiss it, it comes back after a few days or weeks. Googling around, the only ways I can find to disable this involve rooting your phone - which is not exactly in the spirit of maintaining good security - or deleting the cert, which gets you back to square one, with the very real risk that people will connect to your network with *no* cert validation at all. Does anyone have a way around this? Or do we just have to train users to ignore this error? Regards, Brian.