Multiple realms and network validation with WPA2 Enterprise

A.L.M.Buxey at A.L.M.Buxey at
Sat Dec 24 17:55:23 CET 2016


> How would that be different from using a proper CA signed cert which we
> already have ?

because anyone can get a server cert signed by that CA - and most clients are dumb
so cannot be set to trust the commonname such clients are ripe to be MITM attacked
trivially.  very big issue if using EAP-TTLS PAP... and almost just as big for MSCHAPv2 inner
which just takes a little more effort to recover the password.

dont use public CA for secure 802.1X


More information about the Freeradius-Users mailing list