using SSL certs with EAP-TLS
Wouter
radius at occult.nl
Tue Apr 5 17:03:34 CEST 2016
Hi Alan,
> for other checks , unlang parsing with TLS-Client-Cert-CN can verify if
> the CN matches
> something that you've handed out - your realm, for example, shouldnt be
> present int he CN from commercial CAs as noone else owns it/has
> authority (unless something interesting is going on in your company.....)
> likewise, OCSP can also be used to verify if the cert is valid/current
Ok, thanks, I understand. I added OCSP checking with
ocsp { enable = yes
override_cert_url = no
url = "http://ocsp.startssl.com/sub/class1/client/ca"
}
but it didn't work, exited with the error " Error: OCSP response has
wrong nonce value " . The site https://blog.pki.dfn.de/tag/freeradius/
helped me make it work with the hint to add "use_nonce = no".
I send this mail for future (Google'rs) reference.
Cheers
More information about the Freeradius-Users
mailing list