EAP TLS against multiple certificates?
David Hartburn
D.J.Hartburn at kent.ac.uk
Wed May 3 15:36:07 CEST 2017
Hi,
I failed to get anywhere with this problem and it looks like a lot of
our laptops are broken as we are running a mix of SHA1 and SHA256 client
certificates all of a sudden.
I remove the comments from the config snipped I posted to make it more
readable for the list, but they do exist in my original configuration.
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
To me this suggests it is not possible to have more than one
certificate. Is this correct?
If so, any suggestions on how we can solve this issue or is it a case of
finding every SHA1 client and forcing them to update their cert?
The ideal solution would be to be able to support a SHA1 chain and a
SHA256 chain as a migratory step, dropping the SHA1 in the near future.
The only other option was to have a 'change day' when both the servers
and clients all changed. It looks like that change day may have
unexpectedly become today!
David
On 31/03/17 12:49, Alan DeKok wrote:
> On Mar 31, 2017, at 7:02 AM, David Hartburn <D.J.Hartburn at kent.ac.uk> wrote:
>>
>> Is it possible to check EAP-TLS against multiple certificate chains, or bundle two chains together into the same pem file?
>
> See the comments for "ca_file" in the default build. The question is answered there.
>
>> In terms of config, in mods-enabled/eap, I have
>> tls-config loanlaptops {
>> private_key_file = ${confdir}/certs/loan_laptop_server.pem
>> certificate_file = ${confdir}/certs/loan_laptop_server.pem
>> ca_file = ${confdir}/certs/unikentrootCAchain.pem
>
> Removing all of the comments makes the configuration smaller, it can also make it harder to understand.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list