This note is informative and might lead to some CWSP course content update.
In 2009 Black Hat, Moxie Marlinspike demontrated that there's a fundamental problem in the X.509 certificate trust chain.
To truly assess the authenticity of a certificate, it is required to validate not only the root CA but also intermediate certification authority certificates. As workstation and servers Operating Systems are deployed with only public root CAs (not all intermediary CAs), and also because Wireless LAN profiles are only assessing the authenticity of a certificate based on the Root CA, it is possible for a hacker to create a WPA-Enterprise evil twin with a RADIUS server certificate that will be considered as legitimate by the client workstation even if it is validating the server's certificate authenticity.
The basic principles are outlined here:
The only solution I can find to this exploit is to use a private self-signed Root CA (not use Verisign or Entrust public CA). However, this implies:
A) Securing the Root CA private Key and making sure it does not get compromised;
B) Deploying the private Root CA certificate to all client workstations (generally via GPO).
Not much new news here.
But maybe some hadn't guessed it already.