Client certs with MSCHAPV2 in PEAP
Robert Myers
ccrider at whiterose.net
Thu Feb 23 23:18:06 CET 2006
Does this only apply if the supplicant uses a server cert during eap/tls?
The reason I ask, is that I'm using a client cert signed by my CA to do
eap/tls, and it's working. I have not implemented the server cert as of
yet.
-Bob
Alan DeKok wrote:
> "Dave Huff" <dbhuff at yahoo.com> wrote:
>
>>> For EAP-TLS to work, the client certs have to be
>>> signed by the server cert.
>>>
>> Signed by the server cert or by the CA cert? I have a CA that signed the
>> server and client certs, and the eap.conf file knows where server and CA
>> certs are.
>>
>
> If you're using 1.0.x, that won't work. It doesn't do certificate
> chains. The client cert MUST be signed by the server cert. Using a
> CA to sign them, both won't work.
>
> I'm not even sure it will work in 1.1.0, to be honest.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list