Requesting guidance to understand all moving parts for RadSec + EAP-TLS

Sun Apr 20 18:20:27 UTC 2025

On Apr 20, 2025, at 2:17 PM, Yoann Gini <yoann.gini at gmail.com> wrote:
> But if I put all of the CA into ca_dir, the Let’s Encrypt issued certificates could also be used to pass client auth?

  Technically, yes.  Practically no.

  The LetsEncrypt certificates generally aren't CAs.  So they can't issue client certs.

  Even if they were CAs, you can run the server in debug mode, and see what it prints out about the TLS certificates.

  You can then add policies to check the TLS-* attributes, to verify that the client certificates are created by a CA you trust.

  Alan DeKok.