Problems using EAP-TLS with freeradius version 2

Ivan Kalik tnt at
Fri Feb 8 10:31:05 CET 2008

>You have to install the ca certificate and the client certificate on the
>client-computer, why should client cert by signed from the server cert? 

Because the idea is to authenticate those users to *that* server, not to
*every* server that got the certificate from that CA. With your approach
the user would be admitted to some other network if their server was
issued a certificate by the same CA. If you are using commercial
certificates there might be thousands of servers with certificates
issued by the same CA. And the user will be able to get onto all of them
(if they use EAP-TLS).

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list