...
On Mac OS, iPhone and Windows 10 supplicants, when connecting to the SSID for the first time, the server certificate's details are presented to the user and the user is asked if they want to trust the server. In case the identity presented by the RADIUS server changes at any point, the user will be prompted with a message, not containing any reasonable warning, sadly, that looks identical to the one displayed when connecting for the first time, where a user is extremely likely to press Trust/Connect once again (on Windows 10, the message also advises the user to connect if they are in a location where said SSID is expected to be present). On Windows 10, in case the user does press Connect again, the supplicant stores both identities and thereon connects without further warning to any server presenting any of those identities, on Mac OS and iPhone this has not been tested. On Mac OS and Windows 10, it is also possible to copy the ca.pem file and install it like with the Linux supplicant, on iPhone, this did not seem to have any effect. This avoids the prompt on first connect and protects against a rogue RADIUS server intercepting the connection on the supplicant's first connection attempt, when, it would, otherwise, be still impossible to distinguish it from the authentic oneOn Windows 10, this does not change the behavior in case the server's identity changes, on Mac OS this has not been tested, presumably the same. It seems to be possible, but greatly complicated (involving installing a software from the App Store, and using it to create a configuration profile which then needs to be saved to a file, copied and imported onto the supplicant device) on Mac OS and iPhone to configure the supplicant to not send the real user name in the unencrypted outer tunnel. On Windows 10 this is somewhat easier. '@@@' to verify. '@@@'