Two questions about EAP-TLS

Alan DeKok aland at
Mon Aug 13 19:47:08 CEST 2018

On Aug 13, 2018, at 1:29 PM, Norman Elton <normelton at> wrote:
> We've been running PEAP + MS-CHAPv2 for many many years. Beginning to
> experiment with EAP-TLS, and have two questions ...
> - My certificates are generated by an intermediate CA. It appears I
> need to put both the root and intermediate CA into the CA_file
> (ca.pem)?


> I was expecting to put the root CA somewhere else, to
> indicate that it is only used to trust the intermediate.

  You should be able to put the root CA into the "certs" directory.  And then OpenSSL will pick it up automatically.

> - It seems that FreeRADIUS won't start if I comment out the
> certificate_file and private_key_file. My understanding is that these
> are only used for MS-CHAPv2, and are irrelevant in an EAP-TLS
> environment. Correct me if I'm wrong here. Should I just leave these
> as self-signed dummy certificates?


  PEAP is pretty much EAP-TLS plus MS-CHAP.  MS-CHAP doesn't need the certs.  EAP-TLS does.

  There's a reason that the PEAP configuration references TLS.  Because PEAP needs TLS.

  And there's reason that the EAP-TLS configuration references TLS.  And the certificates.  Because EAP-TLS needs TLS.

  Alan DeKok.

More information about the Freeradius-Users mailing list