Multiple realms and network validation with WPA2 Enterprise

Arran Cudbard-Bell a.cudbardb at
Tue Dec 27 01:41:39 CET 2016

>> So in a nutshell, how do I prove that Ivan the Hacker cannot just bring up
>> his own AP with the same SSID and steal user credentials to get into our
>> network to steal our data.

Short answer, in a BYOD environment, where the devices aren't pre-configured with wireless profiles - you can't.  Supplicant security negotiation is horrifically bad.  Using PSKs doesn't make it any better as the attacker can configure a WPA2-Enterprise secured version of the SSID.

Where you pre-deploy profiles, the user should not be involved in any security decisions.  The supplicant will not send credentials if it cannot validate the server certificate.  Ideally if you control the device, the user should be prevented from modifying the 802.1X configuration at all, and unrecognised 802.1X authenticated networks should be blocked.


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

More information about the Freeradius-Users mailing list