1 Nov
2018
1 Nov
'18
11:29 a.m.
Alan DeKok <aland@deployingradius.com> wrote:
client: let's do TLS!
server: Sure, here's my CA and server cert!
client: Uh... not what I wanted, goodbye!
The only way to signal which CA you want is by some other method. i.e. changing the outer identities, as Christian suggested.
Just a note for edification/general interest, in the case of non-Windows IPSEC, there are modes where clients can send requests for desired CAs over the IKE protocol. Doesn't help for WiFi unless maybe if you are doing Open+IPSEC setups. (Windows can do that mode too but the client doesn't do sufficient security checks in that mode, you have to tunnel PEAP to get CN validation)