Help for buy a real Cert (not self-signed)

Brian Candler b.candler at
Mon Jan 30 16:52:23 CET 2017

On 30/01/2017 11:51, Spider s wrote:
> And now my questions, first I have got running my freeradius installation
> 3.10 on ubuntu) with AD Auth, but with limitations, because I need install
> my self-signed cert on all device for connect to wifi.
> I don’t want this (I don’t want install the certs), and I need buy a real
> cert for a real CA, I know ,but I never buy one for this.

I've been down this path, and I'm afraid you'll find it's a dead end.

The problem is that some clients (specifically Android and Linux) have 
no way to bind a particular SSID to a particular certificate 
*identity*.  They will accept any certificate signed by the selected CA.

What it means is, you are forced to create a throw-away CA purely for 
RADIUS use. Even if you run your own existing private CA, you can't use 
it: that's because anyone who has a certificate from your CA would be 
able to set up a rogue access point and intercept everyone else's traffic.

Windows, OSX and (I think) iOS don't have this problem. You can create 
profiles for them which only accept a certificate with a given identity 
or identifies (say, ""). You can then get this 
cert from a public CA - even for free from Letsencrypt.  If the access 
point presents a certificate with a different identity, the client will 
refuse to connect.

But your Android and Linux users will be totally insecure. If you 
configured them to accept (say) the Letsencrypt CA, they will accept 
*any* certificate from the Letsencrypt CA, and happily send both their 
credentials and all their network traffic via the rogue access point.

This IMO is a major flaw in wpa_supplicant, but that's just how it is.

In any case, it's very important that you don't let your clients simply 
connect to your access point and click through all the prompts - they 
must install a pre-configured profile. If they don't, they will most 
likely have an insecure setup. EAP-PEAP is highly insecure by default.

There *is* a way to do strong mutual password authentication without 
certificates: it's called EAP-pwd.  It's supported by FreeRADIUS, Linux 
and Android. But unfortunately it's not implemented in Windows or OSX :-(



More information about the Freeradius-Users mailing list