WPA2-Entreprise: which certificate to avoid changing Validate server certificate for Windows guest ?

Stefan Winter stefan.winter at restena.lu
Tue Sep 11 13:55:27 CEST 2018


> It seems that the list of trusted roots for WAP2 is different from the
> list of trusted roots used by your browser.

Each root CA has to flagged as being an authorised one for *this
particular network*.

> If your goal is just to let the user validate the certificate, instead
> of modifying the connection (it is tricky and error prone) just let them
> manually validate the certificate the first time they connect, it is
> faster. easier and goes in the flow.

Others have pointed at why this is a bad idea usability-wise (renewing
certificate?) and security (training users to "Click Accept" on a
security warning - they'll merrily do so the next time when a rogue
server presents his unknown certificate).

>> My questions are:
>> 1- In this context, is correct to say the Server Certicate Windwos is
>> refering to, is a file somewhere in /etc/freeradius directory ? If
>> positive, how does it look like ? A .pem file ? A .der file ?
>> 2- Is it correct to hope that  "if WiFi guests are somehow given such a
>> Server Certificate file before trying to connect, they won't need to change
>> Protected EAP Properties" ?
> I never managed to do that.

There are tools which create ready-made installers, including a CA
certificate, marking it as trusted, etc. Your mail address implies that
you work at an academic institution.

If this happens to be about eduroam, take a look at https://cat.eduroam.org.

If this is a non-eduroam network, take a look at e.g.


Stefan Winter

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180911/371862a0/attachment.sig>

More information about the Freeradius-Users mailing list