Troubleshooting EAP-TLS with External Certificates
aland at deployingradius.com
Fri Sep 9 18:53:02 CEST 2016
On Sep 9, 2016, at 12:41 PM, Matthew West <matthew.t.west at gmail.com> wrote:
> To this, my technical lead on the project said:
> ] Need to look at two things here –
> ] * CRL checks – so that revoked certs do not authenticate
> ] * Certificate Whitelist of sorts – So only our bunch of certs authenticate
> It is apparent that he understands the implication of using the
> VeriSign chain as our CA. Is it possible to achieve a cert whitelist,
> say, filter on the e-mail address presented in the certificate?
Not on the client.
See the Windows GUI for what's possible. The short answer is "not much".
> Would that remediate any security concerns, or would that still leave
> room for abuse?
You probably can't do it, which means it doesn't help.
More information about the Freeradius-Users