Multiple realms and network validation with WPA2 Enterprise

Henti Smith henti at
Thu Dec 22 07:20:34 CET 2016

Good morning all.

I've searched a bit and while I found some information about how the client
validates the SSID using certificates, it's not entirely clear how to make
sure a fake SSID cannot steal user/pass from clients.

As per previous mails, we're running EAP method TTLS with PAP 2nd phase
against a Kerberos oracle.

We're using CA signed wildcard cert for our internal network.

Do we need to use a username at domain username structure to validate the
realm (I assume using the domain_realm config in /etc/krb5.conf) use SSL to
validate the radius server it's communicating with ?

Does that also mean we can have multiple domains pointing to multiple
realms using seperate realms and domain_realm configurations ?



More information about the Freeradius-Users mailing list