Reimer Karlsen-Masur, DFN-CERT wrote: > Whereas IMO the SSL cert of the RADIUS server should be issued by a CA which > has its root CA certificate preinstalled in the standard certificate stores...
No. You are saying that the supplicant should trust those root CA's for ALL authentication. i.e. you have a certificate for "example.com", signed by Verisign. The supplicant is configured to trust the verisign-signed certificates, because that's what you have. Now *anyone* who is issued a certificate from verisign can authenticate your users. If your users are using EAP-TTLS with PAP authentication, you've just convinced them to send their clear-text password to some random person on the Internet. RADIUS certificates for EAP should ALMOST ALWAYS be self-signed. That means that no one else can successfully convince the users to send them the passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html