EAP-TLS with TLS 1.3
a.cudbardb at freeradius.org
Wed Mar 14 16:27:04 CET 2018
> On Mar 14, 2018, at 1:57 PM, Stefan Winter <stefan.winter at RESTENA.LU> wrote:
>> Sorry, wasn’t clear. The SSL_CTX configuration code is common for both TLS servers and TLS clients, and is used for both EAP and RADSEC. In this case FreeRADIUS would be acting as a TLS client for RADSEC.
> Ah. Well the cert length considerations are really about EAP as the data
> channel is so narrow and peculiar.
> In a RadSec connection, length of the cert is a NOOP consideration.
> Of course if you really want to have two distinct certs for actual
> security reasons(?), then yes, multiple client certs would be useful there.
OK, yes, that’s what I was querying.
I guess it’d also allow you to select different certificates depending on the CA list advertised by the server, as well as different certificates for crypto agility.
More information about the Freeradius-Devel