Freeradius and Android, TLS Internal Error

Matthew Newton mcn at
Fri Feb 23 11:49:14 UTC 2024

On 23/02/2024 11:01, Lorenzo Mirabella wrote:
> ca_file = ${cadir}/fullchain.pem

A separate point, do NOT add this line.

It is the root CA that FreeRADIUS will use to verify client 
certificates. i.e. if a client comes along and tries to authenticate 
with EAP-TLS and presents a certificate from that root, they will be 

Which means in your situation, anyone with a LetsEncrypt will be able to 
authenticate. This is certainly not what you want.

For EAP-TLS, set it to a private root CA. For any other EAP type, leave 
it unset.


More information about the Freeradius-Users mailing list