How to avoid EAP-TLS login on commercial CA's?
Matthew Newton
matthew at newtoncomputing.co.uk
Thu Jun 29 17:08:11 CEST 2017
On Thu, Jun 29, 2017 at 05:00:58PM +0200, Ramon Escriba wrote:
> We're planning to use EAP-TTLS with a commercial certificate on
> freeradius-3.0.4.
Start on 3.0.14, not 3.0.4. It's old and buggy.
> We do not want any "client certificate" signed by this
> commercial big CA to log in.
Right.
> But, there's any simple way to forbid globally any CA 'valid client
> certificate', a part of not using the commercial CA??
I assume you mean EAP-TLS as in the subject, not EAP-TTLS.
In which case definitely only use a private CA.
Even if it's EAP-TTLS you should still use a private CA for
security to stop the possibility of credentials being leaked.
--
Matthew
More information about the Freeradius-Users
mailing list