Freeradius and Android, TLS Internal Error
Matthew Newton
mcn at freeradius.org
Fri Feb 23 11:49:14 UTC 2024
On 23/02/2024 11:01, Lorenzo Mirabella wrote:
> ca_file = ${cadir}/fullchain.pem
A separate point, do NOT add this line.
It is the root CA that FreeRADIUS will use to verify client
certificates. i.e. if a client comes along and tries to authenticate
with EAP-TLS and presents a certificate from that root, they will be
accepted.
Which means in your situation, anyone with a LetsEncrypt will be able to
authenticate. This is certainly not what you want.
For EAP-TLS, set it to a private root CA. For any other EAP type, leave
it unset.
--
Matthew
More information about the Freeradius-Users
mailing list