No, I'm referring to WiFi offered at airports, coffee shops, bars, or at someone's home etc... You are given a username and password and the phone shows the SSID, you just enter the username and password and are connected. There is never a window asking you to trust a certificate.
--- Roberto Ullfig - rull...@uic.edu Systems Administrator Enterprise Applications & Services | Technology Solutions University of Illinois - Chicago ________________________________ From: radiator <radiator-boun...@lists.open.com.au> on behalf of Heikki Vatiainen <h...@open.com.au> Sent: Thursday, September 9, 2021 9:37 AM To: radiator@lists.open.com.au <radiator@lists.open.com.au> Subject: Re: [RADIATOR] Certificate Not Trusted - InCommon? On 8.9.2021 19.48, Ullfig, Roberto Alfredo wrote: > Bringing this back, the main question I have is why do our users need to > Trust a certificate when connecting to our Radius Wifi but they don't > need to Trust a certificate when connecting to most other WiFi services > out there. Why is there a difference? Are the other WiFI services, for example, WLANs that require authentication using a captive portal? I'd say that in all cases authentication to WLANs that use WPA-Enterprise with an EAP method that is based on TLS, trust needs to be established manually by the user, with a profile or a tool that automates this. For example https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcat.eduroam.org%2F&data=04%7C01%7Crullfig%40uic.edu%7Ce136a5a477d04a92258108d9739f7cb6%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637667951675862987%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=5HUC46TUne8f2WPlYGMcNCoebDGNhdtLOLQmIRfrutU%3D&reserved=0 If the above, the difference is that the browser knows that the server must have a certificate for example.org if the target URL is https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexample.org%2F&data=04%7C01%7Crullfig%40uic.edu%7Ce136a5a477d04a92258108d9739f7cb6%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637667951675862987%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=j9S1pmzKFPDtKAZGLtImMW74CkidQE5M5srAthsnuOo%3D&reserved=0 With TLS based RADIUS as used by WPA-Enterprise, a WPA-Enterprise client only knows the WLAN name (SSID) but there's nothing in the certificate a RADIUS server sends, at least currently, that ties together the certificate and the current SSID. For an organisation that already uses eduroam, the CAT tool can simplify configuration substantially. It does not replace manual configuration or other tools - it's just another way to set up a device. Thanks, Heikki -- Heikki Vatiainen OSC, makers of Radiator Visit radiatorsoftware.com for Radiator AAA server software _______________________________________________ radiator mailing list radiator@lists.open.com.au https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7Ce136a5a477d04a92258108d9739f7cb6%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637667951675872949%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=PDjyLvI8lt3gy5B3bmXFXOFQ2S5RSfXx0HMwQRulQOU%3D&reserved=0
_______________________________________________ radiator mailing list radiator@lists.open.com.au https://lists.open.com.au/mailman/listinfo/radiator