oleks
commented
6 years ago What exactly is the alternative? WPA PSK didn't work for me last time I checked, but maybe my configuration was bad.
Closed grawity closed 3 years ago
oleks
commented
6 years ago What exactly is the alternative? WPA PSK didn't work for me last time I checked, but maybe my configuration was bad.
grawity
commented
6 years ago The same WPA-EAP/PEAP/MSCHAPv2, but with the server's certificate validation enabled. Same logic as HTTPS (and it's even the same SSL/TLS behind the scenes) – if you verify the cert, you know you're always talking to your home institution's auth server. If you don't, it could be anybody's.
(We use a standard web CA from /etc/ssl/certs, so domain_suffix_match="utenos-kolegija.lt" would be the important part. Unfortunately the path to standard CAs is distro-dependent...)
Confirming that this configuration (EAP-PEAP with MSCHAPv2) will work with
@ukolegija.ltand@utenos-kolegija.ltaccounts.(Not that I want to encourage using a configuration that broadcasts your easily-crackable password hash literally everywhere you go, but if it does the job for you...)