On 08 Jun 2015, at 15:01 , Alan DeKok <aland@deployingradius.com> wrote:
On Jun 8, 2015, at 8:38 AM, Christian Bösch <boesch@fhv.at> wrote:
I have Cisco IP phones which do 802.1X EAP-TLS with their manufactoring installed cert. Behind (through the internal switch in the phone) there are clients which do 802.1X PEAP. So the phone needs to validate against the Cisco CA and the client against another CA. Is there any fallback mechanism so that I can specify 2 CA_file lines in the eap config file?
Read the comments in the EAP module configuration.
# Trusted Root CA list # # ALL of the CA's in this list will be trusted # to issue client certificates for authentication.
That answers your question.
Yes, thanks Alan. But I could only get it work, if I put the first CA into the server.crt file, and the second CA (Cisco’s) specifying with the CA_file option. With two CA_file options only the first worked? Chris
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html