How to avoid EAP-TLS login on commercial CA's?

Ramon Escriba escriba at cells.es
Thu Jun 29 17:00:58 CEST 2017


Hello FreeRadius masters,

We're planning to use EAP-TTLS with a commercial certificate on
freeradius-3.0.4.

We do not want any "client certificate" signed by this commercial big CA to
log in.

 

Of course, I saw the warning:

 

/etc/raddb/mod-enabled/eap

 

        #  Note that you should NOT use a globally known CA here!

        #  e.g. using a Verisign cert as a "known CA" means that

        #  ANYONE who has a certificate signed by them can

        #  authenticate via EAP-TLS!  This is likely not what you want.

 

But, there's any simple way to forbid globally any CA 'valid client
certificate', a part of not using the commercial CA??

 

 

Regards.



More information about the Freeradius-Users mailing list