EAP-TLS with different CA per user?

Matt Causey matt.causey at gmail.com
Sat Jun 7 13:05:45 CEST 2008


In our company, we do have certificates signed by multiple Certificate
Authorities...but there is  a hierarchy.  So, some users come in from Domain
A (root CA) some come in from Domain B (intermediate CA).  So then it's
easy....just maintain the CA_path containing the root and any necessary
intermediate CAs.

On Sat, Jun 7, 2008 at 11:48 AM, SecureW2 (List) <list at securew2.com> wrote:

> Frank,
>
> It is not really a configuration issue, but more an Identity Management
> issue.
>
> It is not common to have a CA per user, but a CA per domain. And per domain
> you have users.
>
> So:
>
> User X from domain A has CA 1.
> User Y from domain B has CA 2.
>
> If this is what you are trying to achieve you can simply setup a
> configuration per domain/realm of these users.
>
> Regards,
>
> Tom
>
> > -----Oorspronkelijk bericht-----
> > Van: freeradius-users-bounces+list=securew2.com at lists.freeradius.org
> > [mailto:freeradius-users-bounces+list <freeradius-users-bounces%2Blist>=
> securew2.com at lists.freeradius.org]
> > Namens Frank Sweetser
> > Verzonden: vrijdag 6 juni 2008 20:07
> > Aan: freeradius-users at lists.freeradius.org
> > Onderwerp: EAP-TLS with different CA per user?
> >
> >
> > I have a configuration which I need, but haven't been able to figure out
> > how
> > to make freeradius do it.
> >
> > I have two users, A and B, both authenticating over wireless using EAP-
> > TLS.
> > User A has a certificate which has been signed by CA X, and B has one
> > signed
> > by CA Y.
> >
> > What I need is to tell freeradius that certificates presented by user A
> > should
> > only be checked against CA X, and similarly B only by Y.  Putting both X
> > and Y
> > in the same CA list won't work in this case due to what appears to be a
> > limitation in OpenSSL.
> >
> > I've been over all the existing docs I can find, and I haven't been able
> > any
> > way to do this.  Anyone have any suggestion what I might try?
> >
> > --
> > Frank Sweetser fs at wpi.edu  |  For every problem, there is a solution
> > that
> > WPI Senior Network Engineer   |  is simple, elegant, and wrong. - HL
> > Mencken
> >      GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080607/a59ae5d8/attachment.html>


More information about the Freeradius-Users mailing list