I tried using my own hand-generated SSL certs, as well as a set generated by the certs.sh script, and get the same type of problem. Question: if the CA_file certificate contains a private key, would this cause my problem? I don't think it has one, but can't say with certainty until I get in to work tomorrow and check it out.
One clue I've been seeing is if I check_crl = yes, no certificate gets validated at all; set it to "no" and any client cert will allow the client into my network. Thanks! On Tue, 15 Mar 2005 00:21:19 +0100, Michael Riviera <[EMAIL PROTECTED]> wrote: > Use this in eap.conf: > > CA_file = /path/to/certs/ca-cert.pem > > ca-cert.pem should contain the certificate, but not private key, of your CA. > > Michael > > Jon Franklin wrote: > > >I've managed to get freeradius 1.0.1 working with EAP-TTLS, PEAP, and > >TLS (mostly), but I found that with EAP-TLS, I can use any client > >certificate I want, and freeradius will allow the client through. > >This presents a major security hole in my configuration, and I can't > >seem to figure out how to lock it down. > > > >Is there a way to configure freeradius to only accept client certs > >issued by a specific CA? Either that or only allow a specific set of > >certs (say, copies of the certs in a directory, for example), either > >way would be fine for my purposes. > > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Jon Franklin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html