Rafa Marin wrote:
Hi Karlsen,2007/6/20, Reimer Karlsen-Masur, DFN-CERT <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>:Hi, in the file referenced by the option variable "certificate_file" in the tls section only put the server certificate (and optionally the private key) of your RADIUS server.I think this might work (after some tests i did). But my immediate question is how the server is supposed to verify client certificate if we don't configure any CA certificate?.
Argh, your misunderstanding is because of the inline documentation/default setup of the eap config file.
*Trusted* CAs for client auth are stored in CA_file or CA_path So there is no conflict here with certificate_file option.And IMO usually CA_file and certificate_file should *not* contain the same CA certs because I guess in the majority of cases the RADIUS server cert is issued by some (commercial) server CA where as the client certs are mostly issued by some home grown user CA.
Saying that there might be cases where the CA certificates from CA_file are indeed the CA chain certs of the RADIUS server certificate.....
-- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
smime.p7s
Description: S/MIME Cryptographic Signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html