Double check of sanity with PEAP setup

Adam Taylor ataylor at
Sun Dec 15 17:52:23 CET 2019

So I don't dup the messages for this chain:


Yup!  That is why we are redoing our Freeradius servers, adding redundancy, and getting them off our, ahem...Solaris boxes.....  We never required the suffix part of the user names before....but kinda required for Eduroam.  So we figured a clean install/config would do us some good.


Thanks for the explanation.  I do appreciate it.  I was just hoping to find a way that client iOS devices would not have to click the "trust cert" the first time they connect.  Windows doesn't seem to care...but we stress to the students not to click things that look odd and ask first. But they are always asking about that trust screen the first time they connect.  If there is a better way to handle thousands of BYODs you know of without some complicated registration process...I'm all ears!!  Our upper admins want simple and secure...which I try to tell them don't really go together sometimes...


Adam Taylor

-----Original Message-----
From: Freeradius-Users [ at] On Behalf Of Alberto Martínez Setién via Freeradius-Users
Sent: Friday, December 13, 2019 3:42 AM
To: FreeRadius users mailing list <freeradius-users at>
Cc: Alberto Martínez Setién <alberto.martinez at>
Subject: Re: Double check of sanity with PEAP setup

Hi Adam.

Clients installing a cert is a non-starter....there is no way with the
> amount of visitors.

I hope you are not talking about eduroam, and eduroam visitors.

> So is a CA signed TLS cert correct for PEAP auth or am I not 
> understanding something in the documentation?

The question you should be asking yourself is: Are you sure that your users' supplicants are checking the server cert Subject? Could they be fooled by any cert  signed under the same CA certificate?

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list