Force CA validation

Alexander Clouter alex at digriz.org.uk
Thu Nov 26 11:57:45 CET 2009


Fernando Calvelo Vazquez <fernando.calvelo at esrf.fr> wrote:
>
> How can I force the CA validation on a EAP-TTLS configuration.
> If in my Windows-Supplicant software I select the CA validation, it 
> works. But if remove it, and I use only the User-Credentials 
> Authentication part... it works also.
> I would like to force that the CA certification Authentication part must 
> be mandatory also.
> 
> (I'm using windows-supplicant software with EAP-TTLS method)
> Thanks in advance,
> 
You cannot, this is a client side issue.  It is an identical situation 
to connecting to 'secure' websites, the secure website cannot do 
anything to prevent the user overriding and accepting an expired/invalid 
cert when connecting to their site.

It's one of the reasons we use SecureW2 as it lets you 'script' this 
cert validation[1].  This is great for situations where you do not 
administratively control the connecting workstations (like in a 
university) however if this is a company where you have admin rights to 
all the machines they probably are part of an AD domain and so you can 
set up a GPO (or whatever it is called) to do this for you instead.

Cheers

[1] I hope you are also validating the subject line, otherwise you are 
	making the CA validation (for commerically signed certs) 
	pointless

-- 
Alexander Clouter
.sigmonster says: I wonder if I should put myself in ESCROW!!




More information about the Freeradius-Users mailing list