Requesting guidance to understand all moving parts for RadSec + EAP-TLS

[Alan DeKok]

On Apr 20, 2025, at 1:08 PM, Yoann Gini <yoann.gini at gmail.com> wrote:
> First, it seams that, in my understanding, the configuration key ca_file in mods-enabled/eap (Ubuntu) is both use for as anchor for the radius server certificate defined in certificate_file and as trusted authority for client authentication.

  If you want.  There's no requirement to do that.

> Is there a way to use a different set here? My goal would be to use for the radius server a certificate from Let’s Encrypt, as any exposed Internet service (and to ease the server provisioning), and for the client authentication, my internal PKI.
> 
> Is that doable? Or should I use only certificates from my PKI here?

  Yes.  Just put all of the CA files into ca_dir, and then use ca_dir instead of ca_path.  The server will read all of the CA files at startup.

> Then, I’m having some basic EAP-TLS setup that ends with the server side sending an Access-Challenge and now answer from the client. Network stack is UniFi network with a macOS client connected to the WiFi.
> 
> Any recommendations for the troubleshooting steps needed when Access-Challenge is not answered?

  Look at the logs on the NAS or the OSX machine.

  The packets have Message-Authenticator, so you know that the shared secret is OK.  So the problem is likely not the NAS.

  The most common cause of this issue is that the end user machine isn't configured correctly.  i.e. it doesn't know about the CA that the server is using.

  Update the OSX machine so that it has the CA, and the CA is being used for EAP.  This is all very OS specific. :(

  Alan DeKok.