On 12/12/2017, at 3:23 PM, work vlpl <thework.vlpl@gmail.com> wrote:
On 12 December 2017 at 03:12, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 9, 2017, at 12:36 PM, work vlpl <thework.vlpl@gmail.com> wrote:
I should get valid ssl certificate from (Verisign or other CA)
Please don't. It's generally a bad idea. Use a self-signed CA. That way you can control it much better.
Why using valid certificate from some global CA is bad idea? Because Windows requires certain OIDs in the certificates?
https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/certs/READ... <https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/certs/README> Line 26 onwards: In general, you should use self-signed certificates for 802.1x (EAP) authentication. When you list root CAs from other organisations in the "ca_file", you permit them to masquerade as you, to authenticate your users, and to issue client certificates for EAP-TLS. -- Nathan Ward