On Dec 9, 2017, at 12:36 PM, work vlpl <thework.vlpl@gmail.com> wrote:
I should get valid ssl certificate from (Verisign or other CA)
Please don't. It's generally a bad idea. Use a self-signed CA. That way you can control it much better.
and use it in `certificate_file` and `private_key_file`. This is tells radius server clients, what server is valid. Also this will be enough to enable eap-ttls.
That's what the documentation says to do...
The `ca_file` options should point to my self-generated/self-signed CA certificate. And eap-tls clients certificate should be signed by this CA.
Yes.
--- Also I have question not related to freeradius server, but maybe someone have an answer. I can generate client certificate for eap-tls auth method with very long lifetime, like 10 years, and provision clients devices with it only once. But if certificates have short lifetime, I will have to update it periodically. How to do it with minimal user interaction?
Magic. :( Most OS vendors make it hard to push EAP configs to end-user machines. This may help: http:802.1x-config.org Or, there are commercial providers who charge for the same services. Alan DeKok.