Thanks for taking the time to reply Ivan - I appreciate your help. >> - Create a virtual server for guest access that uses an EAP module with >> the cert. from the well-known CA > >That is insecure. Your clients will trust *any* server certificate signed >by that public CA.
Don't both solutions have the same risk (my first idea was to use a 2nd eap instance with the public CA)? I understand the risk; but, in this case, it's a tradeoff between presenting a cert signed by a public CA (makes it easier for these outside users to configure our wireless), have all guest users not validate the server cert (even worse) or distribute our internal CA's cert to every guest user (not logistically practical). Thanks again Ivan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
