Re: EAP-TLS: limiting client certs to a select group

I tried using my own hand-generated SSL certs, as well as a set
generated by the certs.sh script, and get the same type of problem.
Question: if the CA_file certificate contains a private key, would
this cause my problem? I don't think it has one, but can't say with
certainty until I get in to work tomorrow and check it out.

One clue I've been seeing is if I check_crl = yes, no certificate gets
validated at all; set it to "no" and any client cert will allow the
client into my network.

Thanks!

On Tue, 15 Mar 2005 00:21:19 +0100, Michael Riviera
<mail@michaelriviera.com> wrote:
> Use this in eap.conf:
>
> CA_file = /path/to/certs/ca-cert.pem
>
> ca-cert.pem should contain the certificate, but not private key, of your CA.
>
> Michael
>
> Jon Franklin wrote:
>
> >I've managed to get freeradius 1.0.1 working with EAP-TTLS, PEAP, and
> >TLS (mostly), but I found that with EAP-TLS, I can use any client
> >certificate I want, and freeradius will allow the client through.
> >This presents a major security hole in my configuration, and I can't
> >seem to figure out how to lock it down.
> >
> >Is there a way to configure freeradius to only accept client certs
> >issued by a specific CA? Either that or only allow a specific set of
> >certs (say, copies of the certs in a directory, for example), either
> >way would be fine for my purposes.
> >
> >
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


--
Jon Franklin
jvfranklin@gmail.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html