In our company, we do have certificates signed by multiple Certificate Authorities...but there is a hierarchy. So, some users come in from Domain A (root CA) some come in from Domain B (intermediate CA). So then it's easy....just maintain the CA_path containing the root and any necessary intermediate CAs.<br>
<br><div class="gmail_quote">On Sat, Jun 7, 2008 at 11:48 AM, SecureW2 (List) <<a href="mailto:list@securew2.com">list@securew2.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Frank,<br>
<br>
It is not really a configuration issue, but more an Identity Management<br>
issue.<br>
<br>
It is not common to have a CA per user, but a CA per domain. And per domain<br>
you have users.<br>
<br>
So:<br>
<br>
User X from domain A has CA 1.<br>
User Y from domain B has CA 2.<br>
<br>
If this is what you are trying to achieve you can simply setup a<br>
configuration per domain/realm of these users.<br>
<br>
Regards,<br>
<br>
Tom<br>
<br>
> -----Oorspronkelijk bericht-----<br>
> Van: freeradius-users-bounces+list=<a href="http://securew2.com" target="_blank">securew2.com</a>@<a href="http://lists.freeradius.org" target="_blank">lists.freeradius.org</a><br>
> [mailto:<a href="mailto:freeradius-users-bounces%2Blist">freeradius-users-bounces+list</a>=<a href="http://securew2.com" target="_blank">securew2.com</a>@<a href="http://lists.freeradius.org" target="_blank">lists.freeradius.org</a>]<br>
> Namens Frank Sweetser<br>
> Verzonden: vrijdag 6 juni 2008 20:07<br>
> Aan: <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
> Onderwerp: EAP-TLS with different CA per user?<br>
<div><div></div><div class="Wj3C7c">><br>
><br>
> I have a configuration which I need, but haven't been able to figure out<br>
> how<br>
> to make freeradius do it.<br>
><br>
> I have two users, A and B, both authenticating over wireless using EAP-<br>
> TLS.<br>
> User A has a certificate which has been signed by CA X, and B has one<br>
> signed<br>
> by CA Y.<br>
><br>
> What I need is to tell freeradius that certificates presented by user A<br>
> should<br>
> only be checked against CA X, and similarly B only by Y. Putting both X<br>
> and Y<br>
> in the same CA list won't work in this case due to what appears to be a<br>
> limitation in OpenSSL.<br>
><br>
> I've been over all the existing docs I can find, and I haven't been able<br>
> any<br>
> way to do this. Anyone have any suggestion what I might try?<br>
><br>
> --<br>
> Frank Sweetser fs at <a href="http://wpi.edu" target="_blank">wpi.edu</a> | For every problem, there is a solution<br>
> that<br>
> WPI Senior Network Engineer | is simple, elegant, and wrong. - HL<br>
> Mencken<br>
> GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC<br>
> -<br>
> List info/subscribe/unsubscribe? See<br>
> <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br>