Well in my current configuration I have the RADIUS server certificate in certificate_file and CA certificate in CA_file. But with that configuration , the radius server is still sending the CA certificate. The CA_path folder is empty and the CA_file is commented out. This should work for you. tls { # # These is used to simplify later configurations. # certdir = ${raddbdir}/certs cadir = ${raddbdir}/certs/trustedCA private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem # Trusted Root CA list - CA_path folder is empty # CA_file = ${cadir}/ca.pem CA_path = ${raddbdir}/certs/trustedCA dh_file = ${certdir}/dh random_file = ${certdir}/random # fragment_size = 1024 # include_length = yes # check_crl = yes # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" # check_cert_cn = %{User-Name} # # Set this option to specify the allowed # TLS cipher suites. The format is listed # in "man 1 ciphers". cipher_list = "DEFAULT" #make_cert_command = "${certdir}/bootstrap" } ================================================== Benjamin K. Eshun ----- Message d'origine ---- De : Rafa Marín López <rafa.marinlopez@gmail.com> À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Cc : Rafa Marin Lopez <rafa@dif.um.es> Envoyé le : Mercredi, 20 Juin 2007, 18h10mn 12s Objet : Re: Sending CA certificate during EAP-TLS Reimer Karlsen-Masur, DFN-CERT escribió: Hi Karlsen, thanks for the answer, please see inline...
Argh, your misunderstanding is because of the inline documentation/default setup of the eap config file.
*Trusted* CAs for client auth are stored in
CA_file
or
CA_path
So there is no conflict here with certificate_file option.
And IMO usually CA_file and certificate_file should *not* contain the same CA certs
Well in my current configuration I have the RADIUS server certificate in certificate_file and CA certificate in CA_file. But with that configuration , the radius server is still sending the CA certificate. Having said that , your proposal was to not include the CA certificate in the RADIUS server certificate (in certificate_file variable) My RADIUS server certificate does not have the CA certificate included. Even so, the RADIUS server is including the CA certificate :(... any alternative solution?.
because I guess in the majority of cases the RADIUS server cert is issued by some (commercial) server CA where as the client certs are mostly issued by some home grown user CA.
Saying that there might be cases where the CA certificates from CA_file are indeed the CA chain certs of the RADIUS server certificate.....
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _____________________________________________________________________________ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail