[RADIATOR] Certificate Not Trusted - InCommon?

Ullfig, Roberto Alfredo rullfig at uic.edu
Thu Sep 9 15:11:09 UTC 2021


No, I'm referring to WiFi offered at airports, coffee shops, bars, or at someone's home etc... You are given a username and password and the phone shows the SSID, you just enter the username and password and are connected. There is never a window asking you to trust a certificate.

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: radiator <radiator-bounces at lists.open.com.au> on behalf of Heikki Vatiainen <hvn at open.com.au>
Sent: Thursday, September 9, 2021 9:37 AM
To: radiator at lists.open.com.au <radiator at lists.open.com.au>
Subject: Re: [RADIATOR] Certificate Not Trusted - InCommon?

On 8.9.2021 19.48, Ullfig, Roberto Alfredo wrote:

> Bringing this back, the main question I have is why do our users need to
> Trust a certificate when connecting to our Radius Wifi but they don't
> need to Trust a certificate when connecting to most other WiFi services
> out there. Why is there a difference?

Are the other WiFI services, for example, WLANs that require
authentication using a captive portal?

I'd say that in all cases authentication to WLANs that use
WPA-Enterprise with an EAP method that is based on TLS, trust needs to
be established manually by the user, with a profile or a tool that
automates this. For example https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcat.eduroam.org%2F&data=04%7C01%7Crullfig%40uic.edu%7Ce136a5a477d04a92258108d9739f7cb6%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637667951675862987%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=5HUC46TUne8f2WPlYGMcNCoebDGNhdtLOLQmIRfrutU%3D&reserved=0

If the above, the difference is that the browser knows that the server
must have a certificate for example.org if the target URL is
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexample.org%2F&data=04%7C01%7Crullfig%40uic.edu%7Ce136a5a477d04a92258108d9739f7cb6%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637667951675862987%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=j9S1pmzKFPDtKAZGLtImMW74CkidQE5M5srAthsnuOo%3D&reserved=0

With TLS based RADIUS as used by WPA-Enterprise, a WPA-Enterprise
client only knows the WLAN name (SSID) but there's nothing in the
certificate a RADIUS server sends, at least currently, that ties
together the certificate and the current SSID.

For an organisation that already uses eduroam, the CAT tool can simplify
configuration substantially. It does not replace manual configuration or
other tools - it's just another way to set up a device.

Thanks,
Heikki

--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
_______________________________________________
radiator mailing list
radiator at lists.open.com.au
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7Ce136a5a477d04a92258108d9739f7cb6%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637667951675872949%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=PDjyLvI8lt3gy5B3bmXFXOFQ2S5RSfXx0HMwQRulQOU%3D&reserved=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20210909/17950f65/attachment.html>


More information about the radiator mailing list