23 Feb
2024
23 Feb
'24
6:49 a.m.
On 23/02/2024 11:01, Lorenzo Mirabella wrote:
ca_file = ${cadir}/fullchain.pem
A separate point, do NOT add this line. It is the root CA that FreeRADIUS will use to verify client certificates. i.e. if a client comes along and tries to authenticate with EAP-TLS and presents a certificate from that root, they will be accepted. Which means in your situation, anyone with a LetsEncrypt will be able to authenticate. This is certainly not what you want. For EAP-TLS, set it to a private root CA. For any other EAP type, leave it unset. -- Matthew