usawebbox@fastmail.fm wrote:
The first comment might be giving you just another place to provide your CA cert, whereas the second comment clearly talks about not permiting EAP-TLS. I say this, because I don't see why the CA would be required at all if EAP-TLS will be denied.
Because PEAP uses certificates, too. The requirement for a CA cert comes from the requirements on certificate chains. It is not a PEAP requirement. PEAP just inherits that requirement because PEAP uses certificates.
All you need is a server cert and private key. In PEAP, the client is the one who needs the CA cert, if he wants to verify the server cert, but even that is optional.
The CA cert is needed by OpenSSL to validate the server cert.
Anyway, can we say now that not providing a CA_file doesn't work?
Provide a CA cert as instructed, either in CA_file or in certificate_file. Alan DeKok.