Force CA validation
Alexander Clouter
alex at digriz.org.uk
Thu Nov 26 11:57:45 CET 2009
Fernando Calvelo Vazquez <fernando.calvelo at esrf.fr> wrote:
>
> How can I force the CA validation on a EAP-TTLS configuration.
> If in my Windows-Supplicant software I select the CA validation, it
> works. But if remove it, and I use only the User-Credentials
> Authentication part... it works also.
> I would like to force that the CA certification Authentication part must
> be mandatory also.
>
> (I'm using windows-supplicant software with EAP-TTLS method)
> Thanks in advance,
>
You cannot, this is a client side issue. It is an identical situation
to connecting to 'secure' websites, the secure website cannot do
anything to prevent the user overriding and accepting an expired/invalid
cert when connecting to their site.
It's one of the reasons we use SecureW2 as it lets you 'script' this
cert validation[1]. This is great for situations where you do not
administratively control the connecting workstations (like in a
university) however if this is a company where you have admin rights to
all the machines they probably are part of an AD domain and so you can
set up a GPO (or whatever it is called) to do this for you instead.
Cheers
[1] I hope you are also validating the subject line, otherwise you are
making the CA validation (for commerically signed certs)
pointless
--
Alexander Clouter
.sigmonster says: I wonder if I should put myself in ESCROW!!
More information about the Freeradius-Users
mailing list