Not sending all trusted CA Certificates in EAP-TLS Server Hello

Daniel Finger daniel.finger at
Wed Jan 4 13:34:40 CET 2012


We are using 802.1X EAP TTLS to Authenticate Phones in our network. It is
working, but after seeing a tcpdump, the Radius Server is sending all known
CA Certificates to the Client during EAP TLS Negotiation.

Our Config looks like this:
private_key_file = ${certdir}/radius_server.key

  Containing the private Key of the Radius Server

certificate_file = ${certdir}/radius_server.crt
  This contains the radius certificate and the corresponding self-signed
  CA certificate.

CA_file = ${cadir}/trusted_ca.pem
  Contains different sub-CA certifikates and the self-signed root
  certificate of the sub-CA used to issue client certs (!= server cert)

During EAP-TLS negotiation the Radius Server sends all known certificates
(the ones in the certificate_file and the one in the CA_file) to the client.

Is it possible to change the behaviour that only the certs in the
certificate_file are used?

This should be enough for the clients to verify the server certificate.

Daniel Finger

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <>

More information about the Freeradius-Users mailing list