How to avoid EAP-TLS login on commercial CA's?
matthew at newtoncomputing.co.uk
Thu Jun 29 17:08:11 CEST 2017
On Thu, Jun 29, 2017 at 05:00:58PM +0200, Ramon Escriba wrote:
> We're planning to use EAP-TTLS with a commercial certificate on
Start on 3.0.14, not 3.0.4. It's old and buggy.
> We do not want any "client certificate" signed by this
> commercial big CA to log in.
> But, there's any simple way to forbid globally any CA 'valid client
> certificate', a part of not using the commercial CA??
I assume you mean EAP-TLS as in the subject, not EAP-TTLS.
In which case definitely only use a private CA.
Even if it's EAP-TTLS you should still use a private CA for
security to stop the possibility of credentials being leaked.
More information about the Freeradius-Users