PEAP using different CA?

Stefan Winter stefan.winter at
Wed Jul 10 16:17:18 CEST 2013


>>> To avoid the need of installing our CA certificate on every Windows
>>> machine, we´ll buy the server certificate from a public CA.

Having the CA cert installed only does half of the job; for EAP
configuration purposes, the CA must explicitly marked as trusted /for
this EAP identity/.

So you still need to tell users to set a checkbox besides that CA. The
difference to importing the CA before that is not much more work; on
Windows, it's a couple of clicks only.

> If this is a usability issue, I recommend you look at dissolvable setup clients like cloudpath, or investigate the various certificate/settings bundles that things like iPhones support.

And since he is from a university and likely his deployment is an
eduroam one, you should also mention the dissolvable client setup tool
"eduroam CAT", , which is free and tailored to

It will install private CAs just as fine and automated as it does
commercial CAs.


Stefan Winter

> Arran Cudbard-Bell <a.cudbardb at>
> FreeRADIUS Development Team
> -
> List info/subscribe/unsubscribe? See

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Users mailing list