Fernando Calvelo Vazquez <fernando.calv...@esrf.fr> wrote: > > How can I force the CA validation on a EAP-TTLS configuration. > If in my Windows-Supplicant software I select the CA validation, it > works. But if remove it, and I use only the User-Credentials > Authentication part... it works also. > I would like to force that the CA certification Authentication part must > be mandatory also. > > (I'm using windows-supplicant software with EAP-TTLS method) > Thanks in advance, > You cannot, this is a client side issue. It is an identical situation to connecting to 'secure' websites, the secure website cannot do anything to prevent the user overriding and accepting an expired/invalid cert when connecting to their site.
It's one of the reasons we use SecureW2 as it lets you 'script' this cert validation[1]. This is great for situations where you do not administratively control the connecting workstations (like in a university) however if this is a company where you have admin rights to all the machines they probably are part of an AD domain and so you can set up a GPO (or whatever it is called) to do this for you instead. Cheers [1] I hope you are also validating the subject line, otherwise you are making the CA validation (for commerically signed certs) pointless -- Alexander Clouter .sigmonster says: I wonder if I should put myself in ESCROW!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html