Multiple realms and network validation with WPA2 Enterprise
Stefan.Paetow at jisc.ac.uk
Fri Dec 23 12:30:15 CET 2016
> validates the SSID using certificates, it's not entirely clear how to make
> sure a fake SSID cannot steal user/pass from clients.
Since you use EAP-TTLS, use a self-signed CA, which signs your server and client certificates, then put the CA certificate onto the client devices. There's a lovely tool called eduroam CAT that does something like that, and Alan B on here has written about the iPhone configurator tool that provides the .mobileconfig for Apple devices (which makes that painless).
> Does that also mean we can have multiple domains pointing to multiple
> realms using seperate realms and domain_realm configurations ?
I don't use Kerberos, so I can't comment on that, but in AD environments you can tweak the mschap module's command to either hard-code the domain or take what's provided in the NAI (i.e. DOMAIN\username or username at DOMAIN).
Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125
xmpp: stefanp at jabber.dev.ja.net
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
More information about the Freeradius-Users