<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt">Well in my current configuration I have the RADIUS server certificate in <br>certificate_file and CA certificate in CA_file.<br><br>But with that configuration , the radius server is still sending the CA <br>certificate.<br><br>The CA_path folder is empty and the CA_file is commented out. This should work for you.<br><br>tls {<br> #<br> # These is used to simplify later configurations.<br>
#<br> certdir = ${raddbdir}/certs<br> cadir = ${raddbdir}/certs/trustedCA<br><br> private_key_password = whatever<br> private_key_file = ${certdir}/server.pem<br> certificate_file =
${certdir}/server.pem<br><br> # Trusted Root CA list - CA_path folder is empty<br> # CA_file = ${cadir}/ca.pem<br> CA_path = ${raddbdir}/certs/trustedCA<br> <br> dh_file =
${certdir}/dh<br> random_file = ${certdir}/random<br><br> <br> # fragment_size = 1024<br><br> <br> # include_length = yes<br><br>
<br> # check_crl = yes<br><br> <br> # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"<br><br> <br> # check_cert_cn = %{User-Name}<br>
#<br> # Set this option to specify the allowed<br> # TLS cipher suites. The format is listed<br> # in "man 1 ciphers".<br> cipher_list = "DEFAULT"<br><br>
<br> #make_cert_command = "${certdir}/bootstrap"<br> }<br><br><br><div> </div>==================================================<div> </div><div>Benjamin K. Eshun<div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><br><br><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;">----- Message d'origine ----<br>De : Rafa Marín López <rafa.marinlopez@gmail.com><br>À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org><br>Cc : Rafa Marin Lopez <rafa@dif.um.es><br>Envoyé le : Mercredi, 20 Juin 2007, 18h10mn 12s<br>Objet : Re: Sending CA certificate during EAP-TLS<br><br><div>Reimer Karlsen-Masur, DFN-CERT escribió:<br><br>Hi Karlsen,<br><br>thanks for
the answer, please see inline...<br>><br>> Argh, your misunderstanding is because of the inline <br>> documentation/default setup of the eap config file.<br>><br>> *Trusted* CAs for client auth are stored in<br>><br>> CA_file<br>><br>> or<br>><br>> CA_path<br>><br>> So there is no conflict here with certificate_file option.<br>><br>> And IMO usually CA_file and certificate_file should *not* contain the <br>> same CA certs<br>Well in my current configuration I have the RADIUS server certificate in <br>certificate_file and CA certificate in CA_file.<br><br>But with that configuration , the radius server is still sending the CA <br>certificate.<br><br>Having said that , your proposal was to not include the CA certificate <br>in the RADIUS server certificate (in certificate_file variable)<br><br>My RADIUS server certificate does not have the CA certificate included. <br>Even so, the RADIUS server is including the CA certificate
:(...<br><br>any alternative solution?.<br><br>> because I guess in the majority of cases the RADIUS server cert is <br>> issued by some (commercial) server CA where as the client certs are <br>> mostly issued by some home grown user CA.<br>><br>> Saying that there might be cases where the CA certificates from <br>> CA_file are indeed the CA chain certs of the RADIUS server <br>> certificate.....<br>><br>> ------------------------------------------------------------------------<br>><br>> - <br>> List info/subscribe/unsubscribe? See <a target="_blank" href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a><br><br>- <br>List info/subscribe/unsubscribe? See <a target="_blank" href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a><br></div></div><br></div></div></div><br>
<hr size="1">
Ne gardez plus qu'une seule adresse mail ! <a href="http://www.trueswitch.com/yahoo-fr/">Copiez vos mails</a> vers Yahoo! Mail </body></html>