On 12/12/2017, at 4:26 PM, work vlpl <thework.vlpl@gmail.com> wrote:
On 12 December 2017 at 08:36, Nathan Ward <lists+freeradius@daork.net> wrote:
https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/certs/READ... <https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/certs/README>
Line 26 onwards: In general, you should use self-signed certificates for 802.1x (EAP) authentication. When you list root CAs from other organisations in the "ca_file", you permit them to masquerade as you, to authenticate your users, and to issue client certificates for EAP-TLS.
Yes, I am aware of it, and I set `ca_file` variable to point my self-generated/self-signed CA certificate. I am asking about `certificate_file` and `private_key_file` variables which represent radius server, and documentation says not to use global know CA only for `ca_file` variable.
I have not tried using a certificate_file that is not trusted by the CA in ca_file, perhaps it doesn’t relate. The documentation seems to indicate that the ca_file is presented along with certificate_file, but, I am not certain, as that is in the radsec stuff not EAP. However: - If you use a 3rd party CA for ca_file, they can create fake users (and could be expensive unless you buy a certificate which can sign certificates..) - If you use a 3rd party CA signed cert for certificate_file, they can create a certificate that impersonates your RADIUS server, and set up fake APs/whatever. This is the main concern. -- Nathan Ward