clarification on eap configuration files and certificates
Marco Santantonio
marco.santantonio at unito.it
Thu Jun 20 13:41:17 CEST 2019
ok, many thanks for your support!
Marco
Il giorno gio 20 giu 2019 alle ore 13:04 Alan DeKok <
aland at deployingradius.com> ha scritto:
> On Jun 20, 2019, at 5:06 AM, Marco Santantonio <marco.santantonio at unito.it>
> wrote:
> >
> > I have one last doubt on the subject. As I said, we use certificates
> issued
> > by a public CA (Digicert). In the certificates chain that I insert in the
> > certificate_file should i also enter the root CA or, being this public
> and
> > recognized, do I expect the clients to know it already?
>
> The clients should already know the root CA. It may work if you don't
> put the root CA into the certificate_file.
>
> > Does leaving the CA
> > root in the chain not increase packet exchange with probable longer
> > round-trip times and therefore slower authentications?
>
> Leaving the root CA in the chain will likely add one more packet
> exchange. It may slow down authentication slightly. But in practice, this
> isn't much of an issue.
>
> If you enable fast session resumption, then 99% of authentications will
> use that, and will bypass the certificate exchange completely. And,
> leaving the root CA in there may help in some cases.
>
> I usually recommend being safe. Leave the root CA there, and enable
> fast session resumption.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
****************************************
Marco Santantonio
Direzione Sistemi Informativi, Portale, E-learning
Sezione Fonia, VoIP e WiFi
www.unito.it
****************************************
More information about the Freeradius-Users
mailing list