How to enable only EAP-TTLS type and not EAP-TLS?
Reimer Karlsen-Masur, DFN-CERT
karlsen-masur at dfn-cert.de
Thu Jan 10 13:33:14 CET 2008
Alan DeKok wrote on 10.01.2008 11:26:
> Reimer Karlsen-Masur, DFN-CERT wrote:
>> This is definitely more elegant than my suggestion but I found that many
>> FreeRADIUS admins get confused by the
>>
>> CA_file
>> CA_path
>>
>> options. They think that they need to place the CA chain from *their
>> FreeRADIUS servers SSL certificate* in the file/directory specified in above
>> options.
>
> I've added some comments in eap.cnf && raddb/certs/README explaining
> more about these issues.
>
>> But by doing so they most likely implicitly trust these CAs for
>> client authentication via eap-tls, ie. they enabled EAP-TLS with some set of
>> trusted CAs that were never intended to authenticate client certs for their
>> organisation.
>
> That's the whole purpose of CA_file, to be honest.
Agreed, but usually the CAs of the chain of the RADIUS servers SSL
certificate are *not* the CAs that one wants to trust for organisational
client authentication.
Certs for client authN are mainly issued by organisational CAs.
Whereas IMO the SSL cert of the RADIUS server should be issued by a CA which
has its root CA certificate preinstalled in the standard certificate stores...
Very good that you added some explanatory comments to these options.
--
Beste Gruesse / Kind Regards
Reimer Karlsen-Masur
DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen"
am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5939 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080110/19765601/attachment.bin>
More information about the Freeradius-Users
mailing list