Hi,
It seems that the list of trusted roots for WAP2 is different from the list of trusted roots used by your browser.
Each root CA has to flagged as being an authorised one for *this particular network*.
If your goal is just to let the user validate the certificate, instead of modifying the connection (it is tricky and error prone) just let them manually validate the certificate the first time they connect, it is faster. easier and goes in the flow.
Others have pointed at why this is a bad idea usability-wise (renewing certificate?) and security (training users to "Click Accept" on a security warning - they'll merrily do so the next time when a rogue server presents his unknown certificate).
My questions are: 1- In this context, is correct to say the Server Certicate Windwos is refering to, is a file somewhere in /etc/freeradius directory ? If positive, how does it look like ? A .pem file ? A .der file ?
2- Is it correct to hope that "if WiFi guests are somehow given such a Server Certificate file before trying to connect, they won't need to change Protected EAP Properties" ?
I never managed to do that.
There are tools which create ready-made installers, including a CA certificate, marking it as trusted, etc. Your mail address implies that you work at an academic institution. If this happens to be about eduroam, take a look at https://cat.eduroam.org. If this is a non-eduroam network, take a look at e.g. https://802.1x-config.org. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66