802.1x with GoDaddy Certificates EAP-TTLS
Paul Bone
paul.bone at probitas-solutions.tech
Thu Jun 29 15:45:35 UTC 2023
If anyone on this list has a cost effective onboarding solution for 802.1x I would certainly be interested.
My customers have baulked at the cost of the options such as securew2 for example, and hence we have always used the do not validate flag on these types of networks.
It is internet service and internal networks in multi tenant buildings, so margins are very slim!
Sent from Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: Alan DeKok <aland at deployingradius.com>
Sent: Thursday, June 29, 2023 4:34:50 PM
To: Paul Bone <paul.bone at probitas-solutions.tech>
Cc: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>; Torsten Wilms <T.Wilms at m3connect.de>
Subject: Re: 802.1x with GoDaddy Certificates EAP-TTLS
On Jun 29, 2023, at 11:18 AM, Paul Bone <paul.bone at probitas-solutions.tech> wrote:
> I have a very similar issue with radius assigned VLAN multi-tenant building networks - so far it is only Google phones that have stopped working with our 802.1x SSID and I have to put them on a MAC auth SSID instead which used to only be used for printers and other devices not supporting 802.1X - and obviously privacy MAC has to be disabled as well.
>
> I suspect many other Android devices will probably follow suit soon.
It's likely that those devices were configured with "don't validate server certificate". This was always wrong and insecure.
Recent WiFi standards have mandated that devices validate the server certificate. i.e. the devices must do that in order to use the"WiFi compatible" logo.
As a result, we will soon see a whole set of devices which can't get on the net. The best solution is to fix their configuration so that it's secure.
Alan DeKok.
More information about the Freeradius-Users
mailing list