Hi all, I have one last doubt on the subject. As I said, we use certificates issued by a public CA (Digicert). In the certificates chain that I insert in the certificate_file should i also enter the root CA or, being this public and recognized, do I expect the clients to know it already? Does leaving the CA root in the chain not increase packet exchange with probable longer round-trip times and therefore slower authentications? Many thanks! Marco Il giorno mer 19 giu 2019 alle ore 15:39 Marco Santantonio < marco.santantonio@unito.it> ha scritto:
many thanks Alan!
Il giorno mer 19 giu 2019 alle ore 15:22 Alan DeKok < aland@deployingradius.com> ha scritto:
On Jun 19, 2019, at 9:04 AM, Marco Santantonio < marco.santantonio@unito.it> wrote:
I have some doubts about eap module configuration file.
In my organization we use a public CA for radius server certificates.
The
freeradius version is 3.0.12 from debian stable repository.
You should really upgrade. There are packages available on http://packages.networkradius.com
What's the difference between: 1) setting only the server certificate in "certificate_file" and using "ca_file" to indicate the certificate of authority that issued "certificate_file" OR 2) set in "certificate_file" not only the server certificate, but also all of the CA certificates used to sign the server certificate and comment "ca_file" (this is my current configuration)
There is no real difference. The certificates will work.
We allow multiple configurations because sometimes people need *more* functionality. i.e. they can put multiple CAs into "ca_file". And then issue EAP-TLS client certificates from those CAs.
I ask you this question because the ultimate goal is to deny use of EAP-TLS and allow only PEAP.
Remove the "tls { ... }" section from mods-available/eap. EAP-TLS will stop working.
I have read various posts with different solutions and I am a bit confused.
The comments in the configuration files aren't perfect, but they're not terrible. You should believe the config files over random third-party web sites.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- **************************************** Marco Santantonio Direzione Sistemi Informativi, Portale, E-learning Sezione Fonia, VoIP e WiFi www.unito.it ****************************************
-- **************************************** Marco Santantonio Direzione Sistemi Informativi, Portale, E-learning Sezione Fonia, VoIP e WiFi www.unito.it ****************************************