<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
No, I'm referring to WiFi offered at airports, coffee shops, bars, or at someone's home etc... You are given a username and password and the phone shows the SSID, you just enter the username and password and are connected. There is never a window asking you
to trust a certificate.</div>
<div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div id="Signature">
<div>
<div></div>
<div id="divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">
<div style="font-family:Tahoma; font-size:13px">---
<div><span id="ms-rterangepaste-start"></span><span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Roberto Ullfig - rullfig@uic.edu</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">
<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Systems Administrator</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">
<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Enterprise Applications & Services | Technology Solutions</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">
<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">University of Illinois - Chicago</span>
<div><span id="ms-rterangepaste-end"></span></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> radiator <radiator-bounces@lists.open.com.au> on behalf of Heikki Vatiainen <hvn@open.com.au><br>
<b>Sent:</b> Thursday, September 9, 2021 9:37 AM<br>
<b>To:</b> radiator@lists.open.com.au <radiator@lists.open.com.au><br>
<b>Subject:</b> Re: [RADIATOR] Certificate Not Trusted - InCommon?</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">On 8.9.2021 19.48, Ullfig, Roberto Alfredo wrote:<br>
<br>
> Bringing this back, the main question I have is why do our users need to <br>
> Trust a certificate when connecting to our Radius Wifi but they don't <br>
> need to Trust a certificate when connecting to most other WiFi services <br>
> out there. Why is there a difference?<br>
<br>
Are the other WiFI services, for example, WLANs that require <br>
authentication using a captive portal?<br>
<br>
I'd say that in all cases authentication to WLANs that use <br>
WPA-Enterprise with an EAP method that is based on TLS, trust needs to <br>
be established manually by the user, with a profile or a tool that <br>
automates this. For example <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcat.eduroam.org%2F&data=04%7C01%7Crullfig%40uic.edu%7Ce136a5a477d04a92258108d9739f7cb6%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637667951675862987%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=5HUC46TUne8f2WPlYGMcNCoebDGNhdtLOLQmIRfrutU%3D&reserved=0">
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcat.eduroam.org%2F&data=04%7C01%7Crullfig%40uic.edu%7Ce136a5a477d04a92258108d9739f7cb6%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637667951675862987%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=5HUC46TUne8f2WPlYGMcNCoebDGNhdtLOLQmIRfrutU%3D&reserved=0</a><br>
<br>
If the above, the difference is that the browser knows that the server <br>
must have a certificate for example.org if the target URL is <br>
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexample.org%2F&data=04%7C01%7Crullfig%40uic.edu%7Ce136a5a477d04a92258108d9739f7cb6%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637667951675862987%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=j9S1pmzKFPDtKAZGLtImMW74CkidQE5M5srAthsnuOo%3D&reserved=0">https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexample.org%2F&data=04%7C01%7Crullfig%40uic.edu%7Ce136a5a477d04a92258108d9739f7cb6%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637667951675862987%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=j9S1pmzKFPDtKAZGLtImMW74CkidQE5M5srAthsnuOo%3D&reserved=0</a><br>
<br>
With TLS based RADIUS as used by WPA-Enterprise, a WPA-Enterprise <br>
client only knows the WLAN name (SSID) but there's nothing in the <br>
certificate a RADIUS server sends, at least currently, that ties <br>
together the certificate and the current SSID.<br>
<br>
For an organisation that already uses eduroam, the CAT tool can simplify <br>
configuration substantially. It does not replace manual configuration or <br>
other tools - it's just another way to set up a device.<br>
<br>
Thanks,<br>
Heikki<br>
<br>
-- <br>
Heikki Vatiainen<br>
OSC, makers of Radiator<br>
Visit radiatorsoftware.com for Radiator AAA server software<br>
_______________________________________________<br>
radiator mailing list<br>
radiator@lists.open.com.au<br>
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7Ce136a5a477d04a92258108d9739f7cb6%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637667951675872949%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=PDjyLvI8lt3gy5B3bmXFXOFQ2S5RSfXx0HMwQRulQOU%3D&reserved=0">https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7Ce136a5a477d04a92258108d9739f7cb6%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637667951675872949%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=PDjyLvI8lt3gy5B3bmXFXOFQ2S5RSfXx0HMwQRulQOU%3D&reserved=0</a><br>
</div>
</span></font></div>
</body>
</html>