multiple CAs
Gerald Vogt
vogt at spamcop.net
Tue Jun 9 09:40:07 CEST 2015
On 09/06/15 09:19, Christian Bösch wrote:
>> On 08 Jun 2015, at 15:01 , Alan DeKok <aland at deployingradius.com> wrote:
>> On Jun 8, 2015, at 8:38 AM, Christian Bösch <boesch at fhv.at> wrote:
>>> I have Cisco IP phones which do 802.1X EAP-TLS with their manufactoring installed cert.
>>> Behind (through the internal switch in the phone) there are clients which do 802.1X PEAP.
>>> So the phone needs to validate against the Cisco CA and the client against another CA.
>>> Is there any fallback mechanism so that I can specify 2 CA_file lines in the eap config file?
>>
>> Read the comments in the EAP module configuration.
>>
>> # Trusted Root CA list
>> #
>> # ALL of the CA's in this list will be trusted
>> # to issue client certificates for authentication.
>>
>> That answers your question.
>
> Yes, thanks Alan.
> But I could only get it work, if I put the first CA into the server.crt file, and the second CA (Cisco’s)
> specifying with the CA_file option. With two CA_file options only the first worked?
As always with openssl the "CA file" is a file containing all
certificates needed. Put both in a single file...
-Gerald
>
> Chris
>
>>
>> Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list