Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Will CA cert be pushed along with the sever cert to the client in eap-tls?

Hi All,

I'm aware of that in eap-tls, the server-side cert will be pushed to the wireless client. I'm wondering if the CA root cert of the Radius server will be pushed as well. If not, I guess the client must have the CA cert pre-installed. Is there any documentation to describe this?

Thanks in advance.

Robert

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Will CA cert be pushed along with the sever cert to the clie

EAP-TLS requires that the client and radius trust the root CA. The radius will not push down the root CA cert and that needs to be installed on the device. If these were all domain computer's then the root CA would be pushed. If not, then you have to setup your CA to be able to issue certs to non domain machines

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
3 REPLIES
Hall of Fame Super Silver

Re: Will CA cert be pushed along with the sever cert to the clie

EAP-TLS requires that the client and radius trust the root CA. The radius will not push down the root CA cert and that needs to be installed on the device. If these were all domain computer's then the root CA would be pushed. If not, then you have to setup your CA to be able to issue certs to non domain machines

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: Will CA cert be pushed along with the sever cert to the clie

Thanks Scott.

I'm a little bit confused. Based on the following url, somebody said sever will send the server cert and the CA. Can you show me the documentation that can explain in detail.

http://security.stackexchange.com/questions/47932/why-is-a-ca-certificate-required-for-eap-tls-clients

When the server sends a certificate, it actually sends a certificate chain,  including the CA which issued it, and the CA above it, and so on, up to  the root (the root itself may be sent, but this is optional).

Hall of Fame Super Silver

Re: Will CA cert be pushed along with the sever cert to the clie

Root CA is not sent when doing EAP-TLS... the radius sends its certificate to the client and the client has to trust the root CA.... search Goolge for: eap-tls non-domain machines

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***
56
Views
0
Helpful
3
Replies
CreatePlease login to create content