cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
425
Views
0
Helpful
3
Replies

Will CA cert be pushed along with the sever cert to the client in eap-tls?

robert.huang
Level 1
Level 1

Hi All,

I'm aware of that in eap-tls, the server-side cert will be pushed to the wireless client. I'm wondering if the CA root cert of the Radius server will be pushed as well. If not, I guess the client must have the CA cert pre-installed. Is there any documentation to describe this?

Thanks in advance.

Robert

1 Accepted Solution

Accepted Solutions

Scott Fella
Hall of Fame
Hall of Fame

EAP-TLS requires that the client and radius trust the root CA. The radius will not push down the root CA cert and that needs to be installed on the device. If these were all domain computer's then the root CA would be pushed. If not, then you have to setup your CA to be able to issue certs to non domain machines

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

3 Replies 3

Scott Fella
Hall of Fame
Hall of Fame

EAP-TLS requires that the client and radius trust the root CA. The radius will not push down the root CA cert and that needs to be installed on the device. If these were all domain computer's then the root CA would be pushed. If not, then you have to setup your CA to be able to issue certs to non domain machines

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Thanks Scott.

I'm a little bit confused. Based on the following url, somebody said sever will send the server cert and the CA. Can you show me the documentation that can explain in detail.

http://security.stackexchange.com/questions/47932/why-is-a-ca-certificate-required-for-eap-tls-clients

When the server sends a certificate, it actually sends a certificate chain,  including the CA which issued it, and the CA above it, and so on, up to  the root (the root itself may be sent, but this is optional).

Root CA is not sent when doing EAP-TLS... the radius sends its certificate to the client and the client has to trust the root CA.... search Goolge for: eap-tls non-domain machines

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***
Review Cisco Networking for a $25 gift card