EAP-TLS with different CA per user?
Frank Sweetser
fs at WPI.EDU
Sun Jun 8 03:56:28 CEST 2008
SecureW2 (List) wrote:
> Frank,
>
> It is not really a configuration issue, but more an Identity Management
> issue.
>
> It is not common to have a CA per user, but a CA per domain. And per domain
> you have users.
In general, I certainly agree. The catch is that I'm attempting to handle
certs and CAs that are already out on some users machines. Worst case, I can
start having everyone update certs as needed, but it would be far less hassle
for me to handle it in freeradius.
> So:
>
> User X from domain A has CA 1.
> User Y from domain B has CA 2.
>
> If this is what you are trying to achieve you can simply setup a
> configuration per domain/realm of these users.
The usernames currently don't have a domain portion. Would it be possible for
me to set a default domain for a given username? (The list is small, so would
be manageable for me.) And if so, could you give me at least a rough example
of how I would set this up?
--
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
More information about the Freeradius-Users
mailing list