Hi, Rafa Marín López wrote:
Reimer Karlsen-Masur, DFN-CERT escribió:
Hi Karlsen,
thanks for the answer, please see inline...
Argh, your misunderstanding is because of the inline documentation/default setup of the eap config file.
*Trusted* CAs for client auth are stored in
CA_file
or
CA_path
So there is no conflict here with certificate_file option.
And IMO usually CA_file and certificate_file should *not* contain the same CA certs Well in my current configuration I have the RADIUS server certificate in certificate_file and CA certificate in CA_file.
But with that configuration , the radius server is still sending the CA certificate.
Having said that , your proposal was to not include the CA certificate in the RADIUS server certificate (in certificate_file variable)
My RADIUS server certificate does not have the CA certificate included. Even so, the RADIUS server is including the CA certificate :(...
any alternative solution?.
No. If the configuration is as minimal as suggested (no chain certificates in certificate_file) and FreeRadius is still sending the complete server CA chain build, this must be some FreeRadius magic.... How do you check if FreeRadius is actually sending the chain? -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737