Hi! We are using 802.1X EAP TTLS to Authenticate Phones in our network. It is working, but after seeing a tcpdump, the Radius Server is sending all known CA Certificates to the Client during EAP TLS Negotiation.
Our Config looks like this:
private_key_file = ${certdir}/radius_server.key
Containing the private Key of the Radius Server
certificate_file = ${certdir}/radius_server.crt
This contains the radius certificate and the corresponding self-signed
CA certificate.
CA_file = ${cadir}/trusted_ca.pem
Contains different sub-CA certifikates and the self-signed root
certificate of the sub-CA used to issue client certs (!= server cert)
During EAP-TLS negotiation the Radius Server sends all known certificates
(the ones in the certificate_file and the one in the CA_file) to the client.
Is it possible to change the behaviour that only the certs in the
certificate_file are used?
This should be enough for the clients to verify the server certificate.
--
Regards
Daniel Finger
smime.p7s
Description: S/MIME Kryptografische Unterschrift
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
