Added note on global CA

author Alan T. DeKok <aland@freeradius.org>

Thu, 4 Feb 2010 07:50:37 +0000 (08:50 +0100)

committer Alan T. DeKok <aland@freeradius.org>

Thu, 4 Feb 2010 08:01:29 +0000 (09:01 +0100)
author Alan T. DeKok <aland@freeradius.org>
Thu, 4 Feb 2010 07:50:37 +0000 (08:50 +0100)
committer Alan T. DeKok <aland@freeradius.org>
Thu, 4 Feb 2010 08:01:29 +0000 (09:01 +0100)
diff --git a/raddb/eap.conf b/raddb/eap.conf

index 11c4335..faaf8d8 100644 (file)
--- a/raddb/eap.conf
+++ b/raddb/eap.conf
@@ -144,6 +144,10 @@
                 #
                 #  http://www.dslreports.com/forum/remark,9286052~mode=flat
                 #
+               #  Note that you should NOT use a globally known CA here!
+               #  e.g. using a Verisign cert as a "known CA" means that
+               #  ANYONE who has a certificate signed by them can
+               #  authenticate via EAP-TLS!  This is likey not what you want.
                 tls {
                         #
                         #  These is used to simplify later configurations.
author	Alan T. DeKok <aland@freeradius.org>
	Thu, 4 Feb 2010 07:50:37 +0000 (08:50 +0100)
committer	Alan T. DeKok <aland@freeradius.org>
	Thu, 4 Feb 2010 08:01:29 +0000 (09:01 +0100)