Reimer Karlsen-Masur, DFN-CERT wrote:
This is definitely more elegant than my suggestion but I found that many FreeRADIUS admins get confused by the
CA_file CA_path
options. They think that they need to place the CA chain from *their FreeRADIUS servers SSL certificate* in the file/directory specified in above options.
I've added some comments in eap.cnf && raddb/certs/README explaining more about these issues.
But by doing so they most likely implicitly trust these CAs for client authentication via eap-tls, ie. they enabled EAP-TLS with some set of trusted CAs that were never intended to authenticate client certs for their organisation.
That's the whole purpose of CA_file, to be honest.
Whereas the CA chain of *their FreeRADIUS servers SSL certificate* should be appended to the server certificate file specified with the
certificate_file
option.
That is another way of doing it.
So since specifying an empty CA_file does not work (FreeRADIUS does not start) the only way for a really clean minimal config that is not allowing EAP-TLS is to have an empty CA_path directory.
That sounds reasonable. I've updated the code to permit CA_file to be empty, and added comments in eap.conf && raddb/certs/README about this. Alan DeKok.