EAP-TLS and client certs issued with different CA's
Bruncko Michal
Michal.Bruncko at zssos.sk
Sun Sep 14 15:18:41 CEST 2014
Thanks Alan for very clear responses.
2014-09-13 17:58 odosielateľ napísal:
> Bruncko Michal wrote:
>> I am successfully using Freeradius in our Wifi environment using
>> EAP-TLS
>> in single-CA environment - i.e same CA was used to sign both server
>> and
>> clients SSL certificates. Now I have started to use new certificate
>> PKI
>> with new CA hierarchy - RootCA -> SubCA -> Wifi certificates, but I
>> wanted to keep existing legacy CA in place. This means:
>> - that I wanted to use client certificates issued by two different
>> CA's
>> for EAP-TLS authentication
>> - and as I mentioned before, the new CA is a subCA of new rootCA.
>> - and server certificate is signed still using legacy CA
>
> You will need to configure two different "eap" modules. One for the
> first CA, and the another for the second CA.
>
> Then in the "authorize" section, look at the User-Name. For one set
> of users, run the "eap_ca1" module. For another set of users, run the
> "eap_ca2" module.
>
> You will need to list "eap_ca1" and "eap_ca2" in the "authenticate"
> section, too.
>
>> Questions:
>> - what I am doing wrong? Miss I anything in order to get working
>> EAP-TLS
>> authentication over both legacy CA and new CA?
>
> The EAP module handles only one CA. If you need two CAs, you need
> two
> EAP modules.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list