Multiple realms and network validation with WPA2 Enterprise

Henti Smith henti at geekware.co.za
Fri Dec 23 13:08:47 CET 2016


On 23 December 2016 at 11:30, Stefan Paetow <Stefan.Paetow at jisc.ac.uk>
wrote:

> > validates the SSID using certificates, it's not entirely clear how to
> make
> > sure a fake SSID cannot steal user/pass from clients.
>
> Since you use EAP-TTLS, use a self-signed CA, which signs your server and
> client certificates, then put the CA certificate onto the client devices.
> There's a lovely tool called eduroam CAT that does something like that, and
> Alan B on here has written about the iPhone configurator tool that provides
> the .mobileconfig for Apple devices (which makes that painless).
>

How would that be different from using a proper CA signed cert which we
already have ?


> > Does that also mean we can have multiple domains pointing to multiple
> > realms using seperate realms and domain_realm configurations ?
>
> I don't use Kerberos, so I can't comment on that, but in AD environments
> you can tweak the mschap module's command to either hard-code the domain or
> take what's provided in the NAI (i.e. DOMAIN\username or username at DOMAIN).
>


Thats what I've seen as well, was hoping to get confirmation before going
down that path. Will explore.

Thanks for answering.

Regards
Henti

-- 
--


More information about the Freeradius-Users mailing list