Mathieu Simon wrote: > Usually I've seen example for EAP-TLS setups that used a server-side > certificate > issued from the same CA as the one it should allow EAP-TLS clients who > present > their certificate to FR.
Yes. > Am I guessing correctly that CA_file can contain a different list of CA(s) > than the server certificate that is shown to the client? Yes. It contains a list of valid CAs. > The real-life example would be that people could use PEAP-MSCHAPv2 for > credential-based logins (server certificate being signed by a "trusted" > external CA) While that works, it's not recommended. It means that the client will trust *any* certificate signed by that CA, for network access. It's usually a bad idea. > while some devices could login using EAP-TLS but only when they present > a certificate from an internal CA (that usually isn't being trusted by > devices > outside of control of IT department). That works. The client will need *both* CAs. But why be this complicated? Just use one CA, which is for both EAP-TLS and PEAP. It can issue client certs to some machines, and *not* issue client certs to others. You don't need one CA per EAP method. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html