On Mac OS and iPhone supplicants, when connecting to the SSID for the first time, the server certificate's details are presented to the user and the user is asked if they want to trust the server. In case the identity presented by the RADIUS server changes at any point, the user will be prompted with a message, not containing any warning, sadly, that looks identical to the one displayed when connecting for the first time, where a user is extremely likely to press Trust once again. On Mac OS, it is also possible to copy the .ca file and install it, avoiding the prompt on first connect, on iPhone, on the iPhone this was tested on, this did not have any effect. It seems to be possible, but greatly complicated (involving installing a software from the App Store, and using it to create a configuration profile which then needs to be saved to a file, copied and imported onto the supplicant device) to configure the supplicant to not send the real user name in the unencrypted outer tunnel.

Windows 10 '@@@'