"Dave Huff" <dbhuff at yahoo.com
<http://lists.freeradius.org/mailman/listinfo/freeradius-users>> wrote:
/ > For EAP-TLS to work, the client certs have to be
/>>/ > signed by the server cert.
/>>/ Signed by the server cert or by the CA cert? I have a CA that signed the
/>/> server and client certs, and the eap.conf file knows where server and CA
/>/> certs are.
/
If you're using 1.0.x, that won't work. It doesn't do certificate
chains. The client cert MUST be signed by the server cert. Using a
CA to sign them, both won't work.
I'm not even sure it will work in 1.1.0, to be honest.
Alan DeKok
In 1.1.0 I have chained client certificates and for me EAP-TLS works,
if the client does not require the server to authenticate itself.
The client cert is not signed by the server cert.
It seems to be neccessary,that if you have a root ca and an issuing ca,
the CA_file must contain the certificates of both of them.
If the client requires the server to authenticate itself, the whole process
fails.
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
