Help for buy a real Cert (not self-signed)

[Brian Candler]

On 30/01/2017 15:52, Brian Candler wrote:
> On 30/01/2017 11:51, Spider s wrote:
>> And now my questions, first I have got running my freeradius 
>> installation
>> 3.10 on ubuntu) with AD Auth, but with limitations, because I need 
>> install
>> my self-signed cert on all device for connect to wifi.
>>
>> I don’t want this (I don’t want install the certs), and I need buy a 
>> real
>> cert for a real CA, I know ,but I never buy one for this.
>
> I've been down this path, and I'm afraid you'll find it's a dead end.
>
> The problem is that some clients (specifically Android and Linux) have 
> no way to bind a particular SSID to a particular certificate 
> *identity*.  They will accept any certificate signed by the selected CA.
>
> What it means is, you are forced to create a throw-away CA purely for 
> RADIUS use. Even if you run your own existing private CA, you can't 
> use it: that's because anyone who has a certificate from your CA would 
> be able to set up a rogue access point and intercept everyone else's 
> traffic. 

There's an additional issue.

In Android, if you install your own trusted CA, then every time your 
phone boots up you get a scary notification saying "Network May Be 
Monitored by an unknown third party". If you click on it, it then says 
"A third party is capable of monitoring your network activity, including 
emails, apps and secure websites."

If you dismiss it, it comes back after a few days or weeks.

Googling around, the only ways I can find to disable this involve 
rooting your phone - which is not exactly in the spirit of maintaining 
good security - or deleting the cert, which gets you back to square one, 
with the very real risk that people will connect to your network with 
*no* cert validation at all.

Does anyone have a way around this? Or do we just have to train users to 
ignore this error?

Regards,

Brian.