EAP-TLS with different CA per user?
matt.causey at gmail.com
Sat Jun 7 13:05:45 CEST 2008
In our company, we do have certificates signed by multiple Certificate
Authorities...but there is a hierarchy. So, some users come in from Domain
A (root CA) some come in from Domain B (intermediate CA). So then it's
easy....just maintain the CA_path containing the root and any necessary
On Sat, Jun 7, 2008 at 11:48 AM, SecureW2 (List) <list at securew2.com> wrote:
> It is not really a configuration issue, but more an Identity Management
> It is not common to have a CA per user, but a CA per domain. And per domain
> you have users.
> User X from domain A has CA 1.
> User Y from domain B has CA 2.
> If this is what you are trying to achieve you can simply setup a
> configuration per domain/realm of these users.
> > -----Oorspronkelijk bericht-----
> > Van: freeradius-users-bounces+list=securew2.com at lists.freeradius.org
> > [mailto:freeradius-users-bounces+list <freeradius-users-bounces%2Blist>=
> securew2.com at lists.freeradius.org]
> > Namens Frank Sweetser
> > Verzonden: vrijdag 6 juni 2008 20:07
> > Aan: freeradius-users at lists.freeradius.org
> > Onderwerp: EAP-TLS with different CA per user?
> > I have a configuration which I need, but haven't been able to figure out
> > how
> > to make freeradius do it.
> > I have two users, A and B, both authenticating over wireless using EAP-
> > TLS.
> > User A has a certificate which has been signed by CA X, and B has one
> > signed
> > by CA Y.
> > What I need is to tell freeradius that certificates presented by user A
> > should
> > only be checked against CA X, and similarly B only by Y. Putting both X
> > and Y
> > in the same CA list won't work in this case due to what appears to be a
> > limitation in OpenSSL.
> > I've been over all the existing docs I can find, and I haven't been able
> > any
> > way to do this. Anyone have any suggestion what I might try?
> > --
> > Frank Sweetser fs at wpi.edu | For every problem, there is a solution
> > that
> > WPI Senior Network Engineer | is simple, elegant, and wrong. - HL
> > Mencken
> > GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeradius-Users