Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
326
Views
0
Helpful
3
Replies

Will CA cert be pushed along with the sever cert to the client in eap-tls?

Go to solution
robert.huang
Level 1
Level 1

‎03-04-2014 07:25 AM - edited ‎07-05-2021 12:20 AM

Hi All,

I'm aware of that in eap-tls, the server-side cert will be pushed to the wireless client. I'm wondering if the CA root cert of the Radius server will be pushed as well. If not, I guess the client must have the CA cert pre-installed. Is there any documentation to describe this?

Thanks in advance.

Robert

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎03-04-2014 07:35 AM

EAP-TLS requires that the client and radius trust the root CA. The radius will not push down the root CA cert and that needs to be installed on the device. If these were all domain computer's then the root CA would be pushed. If not, then you have to setup your CA to be able to issue certs to non domain machines

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎03-04-2014 07:35 AM

EAP-TLS requires that the client and radius trust the root CA. The radius will not push down the root CA cert and that needs to be installed on the device. If these were all domain computer's then the root CA would be pushed. If not, then you have to setup your CA to be able to issue certs to non domain machines

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
robert.huang
Level 1
Level 1
In response to Scott Fella

‎03-04-2014 07:57 AM

Thanks Scott.

I'm a little bit confused. Based on the following url, somebody said sever will send the server cert and the CA. Can you show me the documentation that can explain in detail.

http://security.stackexchange.com/questions/47932/why-is-a-ca-certificate-required-for-eap-tls-clients

When the server sends a certificate, it actually sends a certificate chain,  including the CA which issued it, and the CA above it, and so on, up to  the root (the root itself may be sent, but this is optional).

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to robert.huang

‎03-04-2014 08:05 AM

Root CA is not sent when doing EAP-TLS... the radius sends its certificate to the client and the client has to trust the root CA.... search Goolge for: eap-tls non-domain machines

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card