[RADIATOR] Certificate Not Trusted - InCommon?
Jethro Binks
jethro.binks at strath.ac.uk
Thu Sep 9 15:31:22 UTC 2021
> For an organisation that already uses eduroam, the CAT tool can simplify
> configuration substantially. It does not replace manual configuration or
> other tools - it's just another way to set up a device.
It's worth pointing out that it is getting increasingly difficult to do manual configuration of devices for connection to Enterprise networks, devices vendors are now starting to mandate that onboarding tools are used that use the APIs to setup a profile. And if not that, increasingly stringent requirements that make manual configuration more difficult and error-prone, eg Android requiring the obscurely-named "Domain" to be completed with the subject name of the radius server certificate.
So needing geteduroam, securew2, etc.
Jethro.
. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK
The University of Strathclyde is a charitable body, registered in Scotland, number SC015263.
________________________________
From: radiator <radiator-bounces at lists.open.com.au> on behalf of Heikki Vatiainen <hvn at open.com.au>
Sent: 09 September 2021 15:37
To: radiator at lists.open.com.au <radiator at lists.open.com.au>
Subject: Re: [RADIATOR] Certificate Not Trusted - InCommon?
On 8.9.2021 19.48, Ullfig, Roberto Alfredo wrote:
> Bringing this back, the main question I have is why do our users need to
> Trust a certificate when connecting to our Radius Wifi but they don't
> need to Trust a certificate when connecting to most other WiFi services
> out there. Why is there a difference?
Are the other WiFI services, for example, WLANs that require
authentication using a captive portal?
I'd say that in all cases authentication to WLANs that use
WPA-Enterprise with an EAP method that is based on TLS, trust needs to
be established manually by the user, with a profile or a tool that
automates this. For example https://cat.eduroam.org/
If the above, the difference is that the browser knows that the server
must have a certificate for example.org if the target URL is
https://example.org
With TLS based RADIUS as used by WPA-Enterprise, a WPA-Enterprise
client only knows the WLAN name (SSID) but there's nothing in the
certificate a RADIUS server sends, at least currently, that ties
together the certificate and the current SSID.
For an organisation that already uses eduroam, the CAT tool can simplify
configuration substantially. It does not replace manual configuration or
other tools - it's just another way to set up a device.
Thanks,
Heikki
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
_______________________________________________
radiator mailing list
radiator at lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20210909/b3b70782/attachment-0001.html>
More information about the radiator
mailing list