[RADIATOR] Certificate Not Trusted - InCommon?
Heikki Vatiainen
hvn at open.com.au
Thu Sep 9 14:37:32 UTC 2021
On 8.9.2021 19.48, Ullfig, Roberto Alfredo wrote:
> Bringing this back, the main question I have is why do our users need to
> Trust a certificate when connecting to our Radius Wifi but they don't
> need to Trust a certificate when connecting to most other WiFi services
> out there. Why is there a difference?
Are the other WiFI services, for example, WLANs that require
authentication using a captive portal?
I'd say that in all cases authentication to WLANs that use
WPA-Enterprise with an EAP method that is based on TLS, trust needs to
be established manually by the user, with a profile or a tool that
automates this. For example https://cat.eduroam.org/
If the above, the difference is that the browser knows that the server
must have a certificate for example.org if the target URL is
https://example.org
With TLS based RADIUS as used by WPA-Enterprise, a WPA-Enterprise
client only knows the WLAN name (SSID) but there's nothing in the
certificate a RADIUS server sends, at least currently, that ties
together the certificate and the current SSID.
For an organisation that already uses eduroam, the CAT tool can simplify
configuration substantially. It does not replace manual configuration or
other tools - it's just another way to set up a device.
Thanks,
Heikki
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
More information about the radiator
mailing list