EAP-TLS with different CA per user?

SecureW2 (List) list at securew2.com
Sat Jun 7 12:48:55 CEST 2008


It is not really a configuration issue, but more an Identity Management

It is not common to have a CA per user, but a CA per domain. And per domain
you have users.


User X from domain A has CA 1.
User Y from domain B has CA 2.

If this is what you are trying to achieve you can simply setup a
configuration per domain/realm of these users.



> -----Oorspronkelijk bericht-----
> Van: freeradius-users-bounces+list=securew2.com at lists.freeradius.org
> [mailto:freeradius-users-bounces+list=securew2.com at lists.freeradius.org]
> Namens Frank Sweetser
> Verzonden: vrijdag 6 juni 2008 20:07
> Aan: freeradius-users at lists.freeradius.org
> Onderwerp: EAP-TLS with different CA per user?
> I have a configuration which I need, but haven't been able to figure out
> how
> to make freeradius do it.
> I have two users, A and B, both authenticating over wireless using EAP-
> TLS.
> User A has a certificate which has been signed by CA X, and B has one
> signed
> by CA Y.
> What I need is to tell freeradius that certificates presented by user A
> should
> only be checked against CA X, and similarly B only by Y.  Putting both X
> and Y
> in the same CA list won't work in this case due to what appears to be a
> limitation in OpenSSL.
> I've been over all the existing docs I can find, and I haven't been able
> any
> way to do this.  Anyone have any suggestion what I might try?
> --
> Frank Sweetser fs at wpi.edu  |  For every problem, there is a solution
> that
> WPI Senior Network Engineer   |  is simple, elegant, and wrong. - HL
> Mencken
>      GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list