Multiple realms and network validation with WPA2 Enterprise
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Sat Dec 24 17:55:23 CET 2016
Hi,
> How would that be different from using a proper CA signed cert which we
> already have ?
because anyone can get a server cert signed by that CA - and most clients are dumb
so cannot be set to trust the commonname ...so such clients are ripe to be MITM attacked
trivially. very big issue if using EAP-TTLS PAP... and almost just as big for MSCHAPv2 inner
which just takes a little more effort to recover the password.
dont use public CA for secure 802.1X
alan
More information about the Freeradius-Users
mailing list