Alan DeKok wrote on 10.01.2008 11:26: > Reimer Karlsen-Masur, DFN-CERT wrote: >> This is definitely more elegant than my suggestion but I found that many >> FreeRADIUS admins get confused by the >> >> CA_file >> CA_path >> >> options. They think that they need to place the CA chain from *their >> FreeRADIUS servers SSL certificate* in the file/directory specified in above >> options. > > I've added some comments in eap.cnf && raddb/certs/README explaining > more about these issues. > >> But by doing so they most likely implicitly trust these CAs for >> client authentication via eap-tls, ie. they enabled EAP-TLS with some set of >> trusted CAs that were never intended to authenticate client certs for their >> organisation. > > That's the whole purpose of CA_file, to be honest.
Agreed, but usually the CAs of the chain of the RADIUS servers SSL certificate are *not* the CAs that one wants to trust for organisational client authentication. Certs for client authN are mainly issued by organisational CAs. Whereas IMO the SSL cert of the RADIUS server should be issued by a CA which has its root CA certificate preinstalled in the standard certificate stores... Very good that you added some explanatory comments to these options. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki 15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen" am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
smime.p7s
Description: S/MIME Cryptographic Signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html