Problems using EAP-TLS with freeradius version 2
Stefan Puch
s.puch at web.de
Fri Feb 8 10:52:22 CET 2008
>> You have to install the ca certificate and the client certificate on the
>> client-computer, why should client cert by signed from the server cert?
>
> Because the idea is to authenticate those users to *that* server, not to
> *every* server that got the certificate from that CA. With your approach the
> user would be admitted to some other network if their server was issued a
> certificate by the same CA. If you are using commercial certificates there
> might be thousands of servers with certificates issued by the same CA. And
> the user will be able to get onto all of them (if they use EAP-TLS).
Thanks for the clarification, this is a good argument! In my case there is (and
will be) only one server with uses the CA so it makes no difference, but in many
other cases, you are right, signing with the CA is not what you really want.
Thanks again and best wishes
Stefan Puch
More information about the Freeradius-Users
mailing list