clarification on eap configuration files and certificates

Marco Santantonio marco.santantonio at unito.it
Thu Jun 20 11:06:59 CEST 2019 

Hi all,

I have one last doubt on the subject. As I said, we use certificates issued
by a public CA (Digicert). In the certificates chain that I insert in the
certificate_file should i also enter the root CA or, being this public and
recognized, do I expect the clients to know it already? Does leaving the CA
root in the chain not increase packet exchange with probable longer
round-trip times and therefore slower authentications?

Many thanks!

Marco

Il giorno mer 19 giu 2019 alle ore 15:39 Marco Santantonio <
marco.santantonio at unito.it> ha scritto:

> many thanks Alan!
>
>
>
> Il giorno mer 19 giu 2019 alle ore 15:22 Alan DeKok <
> aland at deployingradius.com> ha scritto:
>
>> On Jun 19, 2019, at 9:04 AM, Marco Santantonio <
>> marco.santantonio at unito.it> wrote:
>> >
>> > I have some doubts about eap module configuration file.
>> >
>> > In my organization we use a public CA for radius server certificates.
>> The
>> > freeradius version is 3.0.12 from debian stable repository.
>>
>>   You should really upgrade.  There are packages available on
>> http://packages.networkradius.com
>>
>> > What's the difference between:
>> > 1)  setting only the server certificate in "certificate_file" and using
>> > "ca_file" to indicate the certificate of authority that issued
>> > "certificate_file"
>> > OR
>> > 2) set in "certificate_file" not only the server certificate, but also
>> all
>> > of the CA certificates used to sign the server certificate and comment
>> > "ca_file" (this is my current configuration)
>>
>>   There is no real difference.  The certificates will work.
>>
>>   We allow multiple configurations because sometimes people need *more*
>> functionality.  i.e. they can put multiple CAs into "ca_file".  And then
>> issue EAP-TLS client certificates from those CAs.
>>
>> > I ask you this question because the ultimate goal is to deny use of
>> EAP-TLS
>> > and allow only PEAP.
>>
>>   Remove the "tls { ... }" section from mods-available/eap.  EAP-TLS will
>> stop working.
>>
>> > I have read various posts with different solutions and I am a bit
>> confused.
>>
>>   The comments in the configuration files aren't perfect, but they're not
>> terrible.  You should believe the config files over random third-party web
>> sites.
>>
>>   Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
>
> --
> ****************************************
> Marco Santantonio
> Direzione Sistemi Informativi, Portale, E-learning
> Sezione Fonia, VoIP e WiFi
> www.unito.it
> ****************************************
>
>
>

-- 
****************************************
Marco Santantonio
Direzione Sistemi Informativi, Portale, E-learning
Sezione Fonia, VoIP e WiFi
www.unito.it
****************************************

More information about the Freeradius-Users mailing list