multiple CAs
Christian Bösch
boesch at fhv.at
Tue Jun 9 09:19:18 CEST 2015
> On 08 Jun 2015, at 15:01 , Alan DeKok <aland at deployingradius.com> wrote:
>
> On Jun 8, 2015, at 8:38 AM, Christian Bösch <boesch at fhv.at> wrote:
>> I have Cisco IP phones which do 802.1X EAP-TLS with their manufactoring installed cert.
>> Behind (through the internal switch in the phone) there are clients which do 802.1X PEAP.
>> So the phone needs to validate against the Cisco CA and the client against another CA.
>> Is there any fallback mechanism so that I can specify 2 CA_file lines in the eap config file?
>
> Read the comments in the EAP module configuration.
>
> # Trusted Root CA list
> #
> # ALL of the CA's in this list will be trusted
> # to issue client certificates for authentication.
>
> That answers your question.
Yes, thanks Alan.
But I could only get it work, if I put the first CA into the server.crt file, and the second CA (Cisco’s)
specifying with the CA_file option. With two CA_file options only the first worked?
Chris
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list