WPA2-Entreprise: which certificate to avoid changing Validate server certificate for Windows guest ?
stefan.winter at restena.lu
Tue Sep 11 13:55:27 CEST 2018
> It seems that the list of trusted roots for WAP2 is different from the
> list of trusted roots used by your browser.
Each root CA has to flagged as being an authorised one for *this
> If your goal is just to let the user validate the certificate, instead
> of modifying the connection (it is tricky and error prone) just let them
> manually validate the certificate the first time they connect, it is
> faster. easier and goes in the flow.
Others have pointed at why this is a bad idea usability-wise (renewing
certificate?) and security (training users to "Click Accept" on a
security warning - they'll merrily do so the next time when a rogue
server presents his unknown certificate).
>> My questions are:
>> 1- In this context, is correct to say the Server Certicate Windwos is
>> refering to, is a file somewhere in /etc/freeradius directory ? If
>> positive, how does it look like ? A .pem file ? A .der file ?
>> 2- Is it correct to hope that "if WiFi guests are somehow given such a
>> Server Certificate file before trying to connect, they won't need to change
>> Protected EAP Properties" ?
> I never managed to do that.
There are tools which create ready-made installers, including a CA
certificate, marking it as trusted, etc. Your mail address implies that
you work at an academic institution.
If this happens to be about eduroam, take a look at https://cat.eduroam.org.
If this is a non-eduroam network, take a look at e.g.
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the Freeradius-Users