RE: Alternate server certificate
Don't both solutions have the same risk (my first idea was to use a 2nd eap instance with the public CA)? I understand the risk; but, in this case, it's a tradeoff between presenting a cert signed by a public CA (makes it easier for these outside users to configure our wireless), have all guest users not validate the server cert (even worse) or distribute our internal CA's cert to every guest user (not logistically practical).
So, why do you bother authenticating users on guest SSID at all? Just leave it open. Even if there is a registration form or such stuff where user will be giving sensitive information that should be protected by SSL on the web server anyway - no need to encrypt on wireless side as well. And the fact that someone can snoop and find out which information pages are your guests reading shouldn't really be of any practical concern. Ivan Kalik Kalik Informatika ISP
participants (1)
-
Ivan Kalik