Hi List,
at work, I have the following requirements for IP phones which should be
authenticated before joining the network:
- Root CA --> Sub CA --> Device certificates
- The phones have the Sub CA certificate locally installed as
"trustworthy" (NOT the Root CA certificate!)
- The RADIUS server must only send its server certificate (not the whole
chain)
- The phones only send their device certificate to the RADIUS server
I tried to build this scenario with FreeRADIUS (2.1.10, on Debian), but
got stuck at the following points:
- I only put the RADIUS server certificate to certificate_file. But as
soon as CA_path or CA_file are set, FreeRADIUS sends the whole
certficiate chain to the phone.
- As soon as I unset CA_path and CA_file, FreeRADIUS sends only the
content of certificate_file to the phone, which is what I want. Of
course, phone certificate checking then doesn't work anymore.
- So I thought that I implement phone certificate checking using the
"verify" block. But this only seems to work "on top" of the built-in
certificate checking.
Does anybody have a hint?
Thanks,
Sven
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
