Not sending all trusted CA Certificates in EAP-TLS Server Hello

Alan DeKok aland at
Wed Jan 4 15:09:42 CET 2012

Daniel Finger wrote:
> We are using 802.1X EAP TTLS to Authenticate Phones in our network. It is
> working, but after seeing a tcpdump, the Radius Server is sending all known
> CA Certificates to the Client during EAP TLS Negotiation.

  That's largely how EAP-TLS works.

> CA_file = ${cadir}/trusted_ca.pem
>   Contains different sub-CA certifikates and the self-signed root
>   certificate of the sub-CA used to issue client certs (!= server cert)
> During EAP-TLS negotiation the Radius Server sends all known certificates
> (the ones in the certificate_file and the one in the CA_file) to the client.
> Is it possible to change the behaviour that only the certs in the
> certificate_file are used?

  Use CA_path instead of CA_file.  That might help.

  Alan DeKok.

More information about the Freeradius-Users mailing list