clarification on eap configuration files and certificates

[Marco Santantonio]

many thanks Alan!



Il giorno mer 19 giu 2019 alle ore 15:22 Alan DeKok <
aland at deployingradius.com> ha scritto:

> On Jun 19, 2019, at 9:04 AM, Marco Santantonio <marco.santantonio at unito.it>
> wrote:
> >
> > I have some doubts about eap module configuration file.
> >
> > In my organization we use a public CA for radius server certificates. The
> > freeradius version is 3.0.12 from debian stable repository.
>
>   You should really upgrade.  There are packages available on
> http://packages.networkradius.com
>
> > What's the difference between:
> > 1)  setting only the server certificate in "certificate_file" and using
> > "ca_file" to indicate the certificate of authority that issued
> > "certificate_file"
> > OR
> > 2) set in "certificate_file" not only the server certificate, but also
> all
> > of the CA certificates used to sign the server certificate and comment
> > "ca_file" (this is my current configuration)
>
>   There is no real difference.  The certificates will work.
>
>   We allow multiple configurations because sometimes people need *more*
> functionality.  i.e. they can put multiple CAs into "ca_file".  And then
> issue EAP-TLS client certificates from those CAs.
>
> > I ask you this question because the ultimate goal is to deny use of
> EAP-TLS
> > and allow only PEAP.
>
>   Remove the "tls { ... }" section from mods-available/eap.  EAP-TLS will
> stop working.
>
> > I have read various posts with different solutions and I am a bit
> confused.
>
>   The comments in the configuration files aren't perfect, but they're not
> terrible.  You should believe the config files over random third-party web
> sites.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



-- 
****************************************
Marco Santantonio
Direzione Sistemi Informativi, Portale, E-learning
Sezione Fonia, VoIP e WiFi
www.unito.it
****************************************