On 09/06/15 09:19, Christian Bösch wrote:
On 08 Jun 2015, at 15:01 , Alan DeKok <aland@deployingradius.com> wrote: On Jun 8, 2015, at 8:38 AM, Christian Bösch <boesch@fhv.at> wrote:
I have Cisco IP phones which do 802.1X EAP-TLS with their manufactoring installed cert. Behind (through the internal switch in the phone) there are clients which do 802.1X PEAP. So the phone needs to validate against the Cisco CA and the client against another CA. Is there any fallback mechanism so that I can specify 2 CA_file lines in the eap config file?
Read the comments in the EAP module configuration.
# Trusted Root CA list # # ALL of the CA's in this list will be trusted # to issue client certificates for authentication.
That answers your question.
Yes, thanks Alan. But I could only get it work, if I put the first CA into the server.crt file, and the second CA (Cisco’s) specifying with the CA_file option. With two CA_file options only the first worked?
As always with openssl the "CA file" is a file containing all certificates needed. Put both in a single file... -Gerald
Chris
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html