using SSL certs with EAP-TLS

Wouter radius at occult.nl
Tue Apr 5 17:03:34 CEST 2016


Hi Alan,

> for other checks , unlang parsing with TLS-Client-Cert-CN can verify if
> the CN matches
> something that you've handed out - your realm, for example, shouldnt be
> present int he CN from commercial CAs as noone else owns it/has
> authority (unless something interesting is going on in your company.....)
> likewise, OCSP can also be used to verify if the cert is valid/current

Ok, thanks, I understand. I added OCSP checking with
ocsp { enable = yes
       override_cert_url = no
       url = "http://ocsp.startssl.com/sub/class1/client/ca"
}
but it didn't work, exited with the error "  Error: OCSP response has
wrong nonce value " . The site https://blog.pki.dfn.de/tag/freeradius/
helped me make it work with the hint to add "use_nonce = no".

I send this mail for future (Google'rs) reference.

Cheers




More information about the Freeradius-Users mailing list