On 8.9.2021 19.48, Ullfig, Roberto Alfredo wrote:
Bringing this back, the main question I have is why do our users need to Trust a certificate when connecting to our Radius Wifi but they don't need to Trust a certificate when connecting to most other WiFi services out there. Why is there a difference?
Are the other WiFI services, for example, WLANs that require authentication using a captive portal?
I'd say that in all cases authentication to WLANs that use WPA-Enterprise with an EAP method that is based on TLS, trust needs to be established manually by the user, with a profile or a tool that automates this. For example https://cat.eduroam.org/
If the above, the difference is that the browser knows that the server must have a certificate for example.org if the target URL is https://example.org
With TLS based RADIUS as used by WPA-Enterprise, a WPA-Enterprise client only knows the WLAN name (SSID) but there's nothing in the certificate a RADIUS server sends, at least currently, that ties together the certificate and the current SSID.
For an organisation that already uses eduroam, the CAT tool can simplify configuration substantially. It does not replace manual configuration or other tools - it's just another way to set up a device.
Thanks, Heikki -- Heikki Vatiainen OSC, makers of Radiator Visit radiatorsoftware.com for Radiator AAA server software _______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
