On 09/07/12 13:04, Sven Dreyer wrote:
Hi List,
at work, I have the following requirements for IP phones which should be
authenticated before joining the network:
- Root CA --> Sub CA --> Device certificates
- The phones have the Sub CA certificate locally installed as
"trustworthy" (NOT the Root CA certificate!)
- The RADIUS server must only send its server certificate (not the whole
chain)
Why?
- I only put the RADIUS server certificate to certificate_file. But as
soon as CA_path or CA_file are set, FreeRADIUS sends the whole
certficiate chain to the phone.
I'm afraid the current TLS code works that way. You would need to patch
the source if you want a different set of server CA and client CA objects.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
