EAP-TLS certificate question
Hi all, I've install freeradius-1.1.3,use it with AP Aironet 1100 doing EAP-TLS and works very well. I still confuse about certificate, is all client certificate created under 1 root ca, can be authenticated against freeradius that started with different server certificate? is it possible to set things like this root ca ------------ / | \ / | \ / | \ server1 server2 server3 ------- ------- ------- | | | | | | client1 client2 client3 I don't want client1 to be authenticated against server2 or server3. thanks
kemas wrote:
Hi all,
I've install freeradius-1.1.3,use it with AP Aironet 1100 doing EAP-TLS and works very well. I still confuse about certificate, is all client certificate created under 1 root ca, can be authenticated against freeradius that started with different server certificate?
I haven't tried it, but it's possible, yes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On Wed, 2007-01-17 at 13:36 +0100, Alan DeKok wrote:
kemas wrote:
Hi all,
I've install freeradius-1.1.3,use it with AP Aironet 1100 doing EAP-TLS and works very well. I still confuse about certificate, is all client certificate created under 1 root ca, can be authenticated against freeradius that started with different server certificate?
I haven't tried it, but it's possible, yes.
is there any howto or link about it? maybe someone would share the light thanks
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 1/17/07, kemas <k_henry@ramayana.co.id> wrote:
I still confuse about certificate, is all client certificate created under 1 root ca, can be authenticated against freeradius that started with different server certificate?
is it possible to set things like this
root ca ------------ / | \ / | \ / | \ server1 server2 server3 ------- ------- ------- | | | | | | client1 client2 client3
I don't want client1 to be authenticated against server2 or server3.
1. client certificates that are "under 1 root ca" are are accepted with respect to the SSL/TLS side of things (other restrictions you implement/configure notwithstanding). The 1 root ca would be the one you tell the server to trust in CA_file. There might be even more as one, which should then reside in a place referenced in CA_path. 2. the servers' certficates are accepted by the supplicant if _they_ trust the pertinent root ca. 3. All those root cas being identical is in no way mandatory, while they might (often) be. 4. I'm not sure how to interpret your schema above. If construed to mean that client certifcates have to be in some way issued from the servers' certificates, that is wrong (as in "don't need to be") and while perhaps technically possible, ill advised from the SSL/TLS point of view. Good starting points for further reading would be RFCs 2716 and 2246, maybe documentation of openssl. Regards K. Hoercher
participants (3)
-
Alan DeKok -
K. Hoercher -
kemas