Question on certificates before deep dive into EAP-TLS

Alan DeKok aland at
Thu Apr 11 20:08:45 CEST 2013

Mathieu Simon wrote:
> Usually I've seen example for EAP-TLS setups that used a server-side
> certificate
> issued from the same CA as the one it should allow EAP-TLS clients who
> present
> their certificate to FR.


> Am I guessing correctly that CA_file can contain a different list of CA(s)
> than the server certificate that is shown to the client?

  Yes.  It contains a list of valid CAs.

> The real-life example would be that people could use PEAP-MSCHAPv2 for
> credential-based logins (server certificate being signed by a "trusted"
> external CA)

  While that works, it's not recommended.  It means that the client will
trust *any* certificate signed by that CA, for network access.

  It's usually a bad idea.

> while some devices could login using EAP-TLS but only when they present
> a certificate from an internal CA (that usually isn't being trusted by
> devices
> outside of control of IT department).

  That works.  The client will need *both* CAs.

  But why be this complicated?  Just use one CA, which is for both
EAP-TLS and PEAP.  It can issue client certs to some machines, and *not*
issue client certs to others.

  You don't need one CA per EAP method.

  Alan DeKok.

More information about the Freeradius-Users mailing list