From: Alan T. DeKok <aland@freeradius.org>
Date: Thu, 4 Feb 2010 07:50:37 +0000 (+0100)
Subject: Added note on global CA
X-Git-Tag: release_2_1_9~90
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8e8cdcceb23e8f858e4984817ff08eeb70161714;p=thirdparty%2Ffreeradius-server.git

Added note on global CA
---

diff --git a/raddb/eap.conf b/raddb/eap.conf
index 11c4335ee3e..faaf8d8580e 100644
--- a/raddb/eap.conf
+++ b/raddb/eap.conf
@@ -144,6 +144,10 @@
 		#
 		#  http://www.dslreports.com/forum/remark,9286052~mode=flat
 		#
+		#  Note that you should NOT use a globally known CA here!
+		#  e.g. using a Verisign cert as a "known CA" means that
+		#  ANYONE who has a certificate signed by them can
+		#  authenticate via EAP-TLS!  This is likey not what you want.
 		tls {
 			#
 			#  These is used to simplify later configurations.