clarification on eap configuration files and certificates
Marco Santantonio
marco.santantonio at unito.it
Wed Jun 19 15:39:51 CEST 2019
many thanks Alan!
Il giorno mer 19 giu 2019 alle ore 15:22 Alan DeKok <
aland at deployingradius.com> ha scritto:
> On Jun 19, 2019, at 9:04 AM, Marco Santantonio <marco.santantonio at unito.it>
> wrote:
> >
> > I have some doubts about eap module configuration file.
> >
> > In my organization we use a public CA for radius server certificates. The
> > freeradius version is 3.0.12 from debian stable repository.
>
> You should really upgrade. There are packages available on
> http://packages.networkradius.com
>
> > What's the difference between:
> > 1) setting only the server certificate in "certificate_file" and using
> > "ca_file" to indicate the certificate of authority that issued
> > "certificate_file"
> > OR
> > 2) set in "certificate_file" not only the server certificate, but also
> all
> > of the CA certificates used to sign the server certificate and comment
> > "ca_file" (this is my current configuration)
>
> There is no real difference. The certificates will work.
>
> We allow multiple configurations because sometimes people need *more*
> functionality. i.e. they can put multiple CAs into "ca_file". And then
> issue EAP-TLS client certificates from those CAs.
>
> > I ask you this question because the ultimate goal is to deny use of
> EAP-TLS
> > and allow only PEAP.
>
> Remove the "tls { ... }" section from mods-available/eap. EAP-TLS will
> stop working.
>
> > I have read various posts with different solutions and I am a bit
> confused.
>
> The comments in the configuration files aren't perfect, but they're not
> terrible. You should believe the config files over random third-party web
> sites.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
****************************************
Marco Santantonio
Direzione Sistemi Informativi, Portale, E-learning
Sezione Fonia, VoIP e WiFi
www.unito.it
****************************************
More information about the Freeradius-Users
mailing list