clarification on eap configuration files and certificates

Alan DeKok aland at
Wed Jun 19 15:22:05 CEST 2019

On Jun 19, 2019, at 9:04 AM, Marco Santantonio <marco.santantonio at> wrote:
> I have some doubts about eap module configuration file.
> In my organization we use a public CA for radius server certificates. The
> freeradius version is 3.0.12 from debian stable repository.

  You should really upgrade.  There are packages available on

> What's the difference between:
> 1)  setting only the server certificate in "certificate_file" and using
> "ca_file" to indicate the certificate of authority that issued
> "certificate_file"
> OR
> 2) set in "certificate_file" not only the server certificate, but also all
> of the CA certificates used to sign the server certificate and comment
> "ca_file" (this is my current configuration)

  There is no real difference.  The certificates will work.

  We allow multiple configurations because sometimes people need *more* functionality.  i.e. they can put multiple CAs into "ca_file".  And then issue EAP-TLS client certificates from those CAs.

> I ask you this question because the ultimate goal is to deny use of EAP-TLS
> and allow only PEAP.

  Remove the "tls { ... }" section from mods-available/eap.  EAP-TLS will stop working.

> I have read various posts with different solutions and I am a bit confused.

  The comments in the configuration files aren't perfect, but they're not terrible.  You should believe the config files over random third-party web sites.

  Alan DeKok.

More information about the Freeradius-Users mailing list