Question on certificates before deep dive into EAP-TLS
Mathieu Simon
mathieu.sim at gmail.com
Thu Apr 11 17:55:58 CEST 2013
G'day
As a (hopefully) answer-able question to those experienced with EAP-TLS
that I've
been twisting my brain:
Usually I've seen example for EAP-TLS setups that used a server-side
certificate
issued from the same CA as the one it should allow EAP-TLS clients who
present
their certificate to FR.
Am I guessing correctly that CA_file can contain a different list of CA(s)
than the server certificate that is shown to the client? (Taken from
Debian's FR 2.1.12)
eap.conf:
tls {
[...]
certificate_file = "/etc/freeradius/ssl/cert.p
# Trusted Root CA list
CA_file = "/etc/univention/ssl/ucsCA/CAcert.pem"
[...]
The real-life example would be that people could use PEAP-MSCHAPv2 for
credential-based logins (server certificate being signed by a "trusted"
external CA)
while some devices could login using EAP-TLS but only when they present
a certificate from an internal CA (that usually isn't being trusted by
devices
outside of control of IT department).
Best regards
Mathieu
More information about the Freeradius-Users
mailing list