Alternate server certificate
Ivan Kalik
tnt at kalik.net
Tue Jul 21 11:12:39 CEST 2009
> Don't both solutions have the same risk (my first idea was to use a 2nd
> eap instance with the public CA)? I understand the risk; but, in this
> case, it's a tradeoff between presenting a cert signed by a public CA
> (makes it easier for these outside users to configure our wireless), have
> all guest users not validate the server cert (even worse) or distribute
> our internal CA's cert to every guest user (not logistically practical).
So, why do you bother authenticating users on guest SSID at all? Just
leave it open. Even if there is a registration form or such stuff where
user will be giving sensitive information that should be protected by SSL
on the web server anyway - no need to encrypt on wireless side as well.
And the fact that someone can snoop and find out which information pages
are your guests reading shouldn't really be of any practical concern.
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list