Multiple realms and network validation with WPA2 Enterprise
henti at geekware.co.za
Thu Dec 22 07:20:34 CET 2016
Good morning all.
I've searched a bit and while I found some information about how the client
validates the SSID using certificates, it's not entirely clear how to make
sure a fake SSID cannot steal user/pass from clients.
As per previous mails, we're running EAP method TTLS with PAP 2nd phase
against a Kerberos oracle.
We're using CA signed wildcard cert for our internal network.
Do we need to use a username at domain username structure to validate the
realm (I assume using the domain_realm config in /etc/krb5.conf) use SSL to
validate the radius server it's communicating with ?
Does that also mean we can have multiple domains pointing to multiple
realms using seperate realms and domain_realm configurations ?
More information about the Freeradius-Users