Requesting guidance to understand all moving parts for RadSec + EAP-TLS

Yoann Gini yoann.gini at gmail.com
Sun Apr 20 17:08:25 UTC 2025 

Following recommendations I’m starting by EAP-TLS config first. 

I have two question. 

First, it seams that, in my understanding, the configuration key ca_file in mods-enabled/eap (Ubuntu) is both use for as anchor for the radius server certificate defined in certificate_file and as trusted authority for client authentication.

Is there a way to use a different set here? My goal would be to use for the radius server a certificate from Let’s Encrypt, as any exposed Internet service (and to ease the server provisioning), and for the client authentication, my internal PKI.

Is that doable? Or should I use only certificates from my PKI here?


Then, I’m having some basic EAP-TLS setup that ends with the server side sending an Access-Challenge and now answer from the client. Network stack is UniFi network with a macOS client connected to the WiFi.

Any recommendations for the troubleshooting steps needed when Access-Challenge is not answered?


Here is the debug log



(0) Received Access-Request Id 0 from <my_public_ip>:55641 to 172.31.4.143:1812 length 224
(0)   User-Name = "y"
(0)   NAS-IP-Address = 172.16.128.187
(0)   NAS-Identifier = "6ad79a4ae1df"
(0)   Called-Station-Id = "6A-D7-9A-4A-E1-DF:Test"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Service-Type = Framed-User
(0)   Calling-Station-Id = "8A-6C-88-1D-26-16"
(0)   Connect-Info = "CONNECT 0Mbps 802.11a"
(0)   Acct-Session-Id = "E6820D4A4AE32164"
(0)   Acct-Multi-Session-Id = "B340C339DFD7F4B8"
(0)   Mobility-Domain-Id = 45825
(0)   WLAN-Pairwise-Cipher = 1027076
(0)   WLAN-Group-Cipher = 1027076
(0)   WLAN-AKM-Suite = 1027075
(0)   Filter-Id = "wpa-eap"
(0)   Framed-MTU = 1002
(0)   EAP-Message = 0x020100060179
(0)   Message-Authenticator = 0x2dc1e95d3c1a904277374839acf24474
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     [preprocess] = ok
(0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log:    --> /var/log/freeradius/radacct/<my_public_ip>/auth-detail-20250420
(0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/<my_public_ip>/auth-detail-20250420
(0) auth_log: EXPAND %t
(0) auth_log:    --> Sun Apr 20 16:52:55 2025
(0)     [auth_log] = ok
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "y", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 6
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   authenticate {
(0) eap: EXPAND %{Calling-Station-Id}
(0) eap:    --> 8A-6C-88-1D-26-16
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_tls to process data
(0) eap_tls: (TLS) TLS -Initiating new session
(0) eap_tls: (TLS) TLS - Setting verify mode to require certificate from client
(0) eap: Sending EAP Request (code 1) ID 2 length 10
(0) eap: EAP session adding &reply:State = 0xbf9ac2b0bf98cffa
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Post-Auth-Type Challenge {
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0) attr_filter.access_challenge: EXPAND %{User-Name}
(0) attr_filter.access_challenge:    --> y
(0) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(0)     [attr_filter.access_challenge.post-auth] = updated
(0)   } # Post-Auth-Type Challenge = updated
(0) session-state: Saving cached attributes
(0)   Framed-MTU = 1002
(0) Sent Access-Challenge Id 0 from 172.31.4.143:1812 to <my_public_ip>:55641 length 68
(0)   EAP-Message = 0x0102000a0da000000000
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0xbf9ac2b0bf98cffac710c0c9c10466bb
(0) Finished request
Waking up in 4.9 seconds.

More information about the Freeradius-Users mailing list