Hi,
In my eap.conf I see the following: # This parameter is used only for EAP-TLS, # when you issue client certificates. If you do # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. #CA_file = ${cadir}/ca.pem
# If CA_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = ${certdir}/radius-server.crt so, if you dont use CA_file then you must have the server cert AND its CA chained in the certificate_file
And I'm getting these errors logged from time to time. Feb 23 13:05:07 avocet radiusd[15992]: TLS Alert read:fatal:unknown CA Feb 23 13:05:07 avocet radiusd[15992]: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
the client has tried to use the wrong CA to deal with you. alan