On 23 December 2016 at 21:46, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
How would that be different from using a proper CA signed cert which we already have ?
The difference is that *you* control the CA, not some third party. You want to ensure that your clients only trust *your* CA infrastructure. :-)
With a third-party CA, you're beholden to their security requirements (or failures for that matter - look online about the Diginotar incident, you'll get the drift).
Hi Stefan, What you are saying of course makes sense, but I'm trying to understand the security mechanisms between and client and radius using SSL and how to ensure my users user/pass don't get stolen by a rogue AP/SSID impersonating ours. How does one ensure that when a user connects to SSID "MyCompany" they are actually sending user/pass to "MyCompany" using the correct SSL and Server validation ? To put it another way. Users have been taught to look at browsers address bar, to ensure they are talking to the correct server and that there is a lock next to the https to indicate the SSL cert fo rthat host has been validated (admittedly byt a thir party, which you have already pointed out has it's own insecurities) I need to show the business the same risk management before we can switch to WPA2 Enterprise away from a shared key, which again has it's own set of insecurities. So in a nutshell, how do I prove that Ivan the Hacker cannot just bring up his own AP with the same SSID and steal user credentials to get into our network to steal our data. Regards Henti -- --