Server certificate and clients (eap-tls) certificate

Nathan Ward lists+freeradius at
Tue Dec 12 04:43:04 CET 2017

> On 12/12/2017, at 4:26 PM, work vlpl <thework.vlpl at> wrote:
> On 12 December 2017 at 08:36, Nathan Ward <lists+freeradius at> wrote:
>> <>
>> Line 26 onwards:
>>  In general, you should use self-signed certificates for 802.1x (EAP)
>> authentication.  When you list root CAs from other organisations in
>> the "ca_file", you permit them to masquerade as you, to authenticate
>> your users, and to issue client certificates for EAP-TLS.
> Yes, I am aware of it, and I set `ca_file` variable to point my
> self-generated/self-signed CA certificate.
> I am asking about `certificate_file` and `private_key_file` variables
> which represent radius server, and documentation says not to use
> global know CA only for `ca_file` variable.

I have not tried using a certificate_file that is not trusted by the CA in ca_file, perhaps it doesn’t relate. The documentation seems to indicate that the ca_file is presented along with certificate_file, but, I am not certain, as that is in the radsec stuff not EAP.

- If you use a 3rd party CA for ca_file, they can create fake users (and could be expensive unless you buy a certificate which can sign certificates..)
- If you use a 3rd party CA signed cert for certificate_file, they can create a certificate that impersonates your RADIUS server, and set up fake APs/whatever. This is the main concern.

Nathan Ward

More information about the Freeradius-Users mailing list