TTLS+PAP with Windows

Herwin Weststrate herwin at
Wed Mar 15 11:07:15 CET 2017

On 15-03-17 11:00, Herman Øie Kolden wrote:
> On Wed, Mar 15, 2017 at 09:53:39AM +0100, Bjørn Mork wrote:
>> In general, you should use self-signed certificates for 802.1x (EAP)
>> authentication. When you list root CAs from other organizations in the
>> "CA_file", you permit them to masquerade as you, 
> Why is this a concern for EAP, but not for regular web certificates?

Web certificates have a check to see if the dns name matches the
certificate. You can do a hostname check with some radius supplicants,
but 90% of the people don't use it. This means there is only one check
remaining: is this certificate valid according to some certificate
authority on this device. This means I can order a certificate for and use that on a rogue access point inside company Bar.

Herwin Weststrate

More information about the Freeradius-Users mailing list