Re: EAP-TLS: limiting client certs to a select group

Jon Franklin wrote:

>I tried using my own hand-generated SSL certs, as well as a set
>generated by the certs.sh script, and get the same type of problem.
>Question: if the CA_file certificate contains a private key, would
>this cause my problem? I don't think it has one, but can't say with
>certainty until I get in to work tomorrow and check it out.
>
>
>
It does not _need_ the private key, I have not tried it with one.

>One clue I've been seeing is if I check_crl = yes, no certificate gets
>validated at all; set it to "no" and any client cert will allow the
>client into my network.
>
>
The check_crl is for certificate revocation and unless you have things
explicitly setup for that it should be set to "no".

>Thanks!
>
>
>
Could you please post the debug log?


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html