Multiple realms and network validation with WPA2 Enterprise

Henti Smith henti at
Tue Dec 27 09:48:53 CET 2016

Thank you all for the information.


On 27 December 2016 at 00:41, Arran Cudbard-Bell <a.cudbardb at>

> >> So in a nutshell, how do I prove that Ivan the Hacker cannot just bring
> up
> >> his own AP with the same SSID and steal user credentials to get into our
> >> network to steal our data.
> Short answer, in a BYOD environment, where the devices aren't
> pre-configured with wireless profiles - you can't.  Supplicant security
> negotiation is horrifically bad.  Using PSKs doesn't make it any better as
> the attacker can configure a WPA2-Enterprise secured version of the SSID.
> Where you pre-deploy profiles, the user should not be involved in any
> security decisions.  The supplicant will not send credentials if it cannot
> validate the server certificate.  Ideally if you control the device, the
> user should be prevented from modifying the 802.1X configuration at all,
> and unrecognised 802.1X authenticated networks should be blocked.
> -Arran
> Arran Cudbard-Bell <a.cudbardb at>
> FreeRADIUS Development Team
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
> -
> List info/subscribe/unsubscribe? See
> list/users.html


More information about the Freeradius-Users mailing list