Multiple realms and network validation with WPA2 Enterprise

Henti Smith henti at
Sat Dec 24 01:07:38 CET 2016

On 23 December 2016 at 21:46, Stefan Paetow <Stefan.Paetow at>

> >How would that be different from using a proper CA signed cert which we
> >already have ?
> The difference is that *you* control the CA, not some third party. You
> want to ensure that your clients only trust *your* CA infrastructure. :-)
> With a third-party CA, you're beholden to their security requirements (or
> failures for that matter - look online about the Diginotar incident,
> you'll get the drift).

Hi Stefan,

What you are saying of course makes sense, but I'm trying to understand the
security mechanisms between and client and radius using SSL and how to
ensure my users user/pass don't get stolen by a rogue AP/SSID impersonating
ours. How does one ensure that when a user connects to SSID "MyCompany"
they are actually sending user/pass to "MyCompany" using the correct SSL
and Server validation ?

To put it another way. Users have been taught to look at browsers address
bar, to ensure they are talking to the correct server and that there is a
lock next to the https to indicate the SSL cert fo rthat host has been
validated (admittedly byt a thir party, which you have already pointed out
has it's own insecurities) I need to show the business the same risk
management before we can switch to WPA2 Enterprise away from a shared key,
which again has it's own set of insecurities.

So in a nutshell, how do I prove that Ivan the Hacker cannot just bring up
his own AP with the same SSID and steal user credentials to get into our
network to steal our data.



More information about the Freeradius-Users mailing list