Hi, > Oh man! > > In other words it's a waste of good money to pay for a signed certificate.
for your own internal 802.1X (where you are only directly authenticating your own users (and that includes eg eduroam) - yes. best practice is to use a self-signed CA (you have the same issues in getting the Root CA onto the clients but there are tools, some free, for that anyway. for a public 802.1X system where any person wants to join then there are 2 arguments - ease of use (go for well known public CA) or security - use a self-signed CA. I'd hope such a public 802.1X system (and there are some out there now....and increasing due to eg HS2.0/passpoint/802.11u) would have some configuration system/tool and they should use a self-signed CA - any $0.01 script kiddie can geta cert from a well known CA for some $$ and fake your AP/network :/ alan _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
