Multiple realms and network validation with WPA2 Enterprise

Henti Smith henti at
Fri Dec 23 13:08:47 CET 2016

On 23 December 2016 at 11:30, Stefan Paetow <Stefan.Paetow at>

> > validates the SSID using certificates, it's not entirely clear how to
> make
> > sure a fake SSID cannot steal user/pass from clients.
> Since you use EAP-TTLS, use a self-signed CA, which signs your server and
> client certificates, then put the CA certificate onto the client devices.
> There's a lovely tool called eduroam CAT that does something like that, and
> Alan B on here has written about the iPhone configurator tool that provides
> the .mobileconfig for Apple devices (which makes that painless).

How would that be different from using a proper CA signed cert which we
already have ?

> > Does that also mean we can have multiple domains pointing to multiple
> > realms using seperate realms and domain_realm configurations ?
> I don't use Kerberos, so I can't comment on that, but in AD environments
> you can tweak the mschap module's command to either hard-code the domain or
> take what's provided in the NAI (i.e. DOMAIN\username or username at DOMAIN).

Thats what I've seen as well, was hoping to get confirmation before going
down that path. Will explore.

Thanks for answering.



More information about the Freeradius-Users mailing list