29 Jun
2017
29 Jun
'17
11:08 a.m.
On Thu, Jun 29, 2017 at 05:00:58PM +0200, Ramon Escriba wrote:
We're planning to use EAP-TTLS with a commercial certificate on freeradius-3.0.4.
Start on 3.0.14, not 3.0.4. It's old and buggy.
We do not want any "client certificate" signed by this commercial big CA to log in.
Right.
But, there's any simple way to forbid globally any CA 'valid client certificate', a part of not using the commercial CA??
I assume you mean EAP-TLS as in the subject, not EAP-TTLS. In which case definitely only use a private CA. Even if it's EAP-TTLS you should still use a private CA for security to stop the possibility of credentials being leaked. -- Matthew