Open petejoybaker opened 9 years ago
domain_suffix_match is available since android version 6 (API 23). It is already possible to use the complete DN you only have to enter it in the CN field. The user has to fill it in complete. I moved the domian_suffix_match option to Version 1.1 because the priority for this option is at the moment low, until Android version 6 is released.
Perfect. Good job :)
For example instead of checking the common name only like
you should check for the complete distinguished name
because otherwise you could set up a fake RADIUS server with something like "radius.rz.uni-konstanz.de" which will work, too.
While that is better, the best option would be to check the domain_match (starting with wpa_supplicant v2.4) or the domain_suffix_match attribute (starting with wpa_supplicant v2.1):
For the "suffix" version
allows "radius.rz.uni-konstanz.de" or "evil.rz.uni-konstanz" but not "radius.uni-konstanz.de" or "evil.uni-konstanz.de" and it forbids things like "radius.rz.uni-konstanz.evil.com".