Multiple CAs
Jonathan Gazeley
jonathan.gazeley at bristol.ac.uk
Wed Oct 4 12:16:13 CEST 2017
Hi folks,
I think I know the answer to this but I want to confirm it.
We (the network infrastructure sysadmins) have been put in a situation
where there are EAP-TLS clients on the network with certs issued by two
different CAs. From talking to management, this is unavoidable and we
must accommodate this with our RADIUS servers. (It's something to do
with the way Azure AD does provisioning).
My understanding is that a decision about which EAP module to use must
be made in the outer server based on attributes in the RADIUS packet and
then the correct EAP module can be used for that CA. Am I correct in
thinking it is not possible to do something like:
authorize {
eap_module_1
eap_module_2
}
and expect that FreeRADIUS tries each EAP module in turn until it finds
one with the right CA?
Also that it is not possible to check SSL cert attributes in the outer
server to determine the correct CA?
Thanks,
Jonathan
More information about the Freeradius-Users
mailing list