Requesting guidance to understand all moving parts for RadSec + EAP-TLS

Yoann Gini yoann.gini at gmail.com
Sun Apr 20 18:17:19 UTC 2025 

Hi

> Le 20 avr. 2025 à 19:35, Alan DeKok <aland at deployingradius.com> a écrit :
> 
> On Apr 20, 2025, at 1:08 PM, Yoann Gini <yoann.gini at gmail.com <mailto:yoann.gini at gmail.com>> wrote:
>> First, it seams that, in my understanding, the configuration key ca_file in mods-enabled/eap (Ubuntu) is both use for as anchor for the radius server certificate defined in certificate_file and as trusted authority for client authentication.
> 
>  If you want.  There's no requirement to do that.
> 
>> Is there a way to use a different set here? My goal would be to use for the radius server a certificate from Let’s Encrypt, as any exposed Internet service (and to ease the server provisioning), and for the client authentication, my internal PKI.
>> 
>> Is that doable? Or should I use only certificates from my PKI here?
> 
>  Yes.  Just put all of the CA files into ca_dir, and then use ca_dir instead of ca_path.  The server will read all of the CA files at startup.

But if I put all of the CA into ca_dir, the Let’s Encrypt issued certificates could also be used to pass client auth?



> 
>> Then, I’m having some basic EAP-TLS setup that ends with the server side sending an Access-Challenge and now answer from the client. Network stack is UniFi network with a macOS client connected to the WiFi.
>> 
>> Any recommendations for the troubleshooting steps needed when Access-Challenge is not answered?
> 
>  Look at the logs on the NAS or the OSX machine.
> 
>  The packets have Message-Authenticator, so you know that the shared secret is OK.  So the problem is likely not the NAS.
> 
>  The most common cause of this issue is that the end user machine isn't configured correctly.  i.e. it doesn't know about the CA that the server is using.
> 
>  Update the OSX machine so that it has the CA, and the CA is being used for EAP.  This is all very OS specific. :(

Indeed, I’ve tested with a Windows endpoint and it just worked. 

I will see later the MDM configuration needed for the Windows. 

Now I will try to embed this in Radsec 

Thanks

More information about the Freeradius-Users mailing list