How to avoid EAP-TLS login on commercial CA's?
Ramon Escriba
escriba at cells.es
Thu Jun 29 17:00:58 CEST 2017
Hello FreeRadius masters,
We're planning to use EAP-TTLS with a commercial certificate on
freeradius-3.0.4.
We do not want any "client certificate" signed by this commercial big CA to
log in.
Of course, I saw the warning:
/etc/raddb/mod-enabled/eap
# Note that you should NOT use a globally known CA here!
# e.g. using a Verisign cert as a "known CA" means that
# ANYONE who has a certificate signed by them can
# authenticate via EAP-TLS! This is likely not what you want.
But, there's any simple way to forbid globally any CA 'valid client
certificate', a part of not using the commercial CA??
Regards.
More information about the Freeradius-Users
mailing list