9 Jul
2012
9 Jul
'12
8:18 a.m.
On 09/07/12 13:04, Sven Dreyer wrote:
Hi List,
at work, I have the following requirements for IP phones which should be authenticated before joining the network:
- Root CA --> Sub CA --> Device certificates - The phones have the Sub CA certificate locally installed as "trustworthy" (NOT the Root CA certificate!) - The RADIUS server must only send its server certificate (not the whole chain)
Why?
- I only put the RADIUS server certificate to certificate_file. But as soon as CA_path or CA_file are set, FreeRADIUS sends the whole certficiate chain to the phone.
I'm afraid the current TLS code works that way. You would need to patch the source if you want a different set of server CA and client CA objects.