Requesting guidance to understand all moving parts for RadSec + EAP-TLS
Yoann Gini
yoann.gini at gmail.com
Sun Apr 20 18:29:38 UTC 2025
Hi
> Le 20 avr. 2025 à 20:24, Dave Funk <dbfunk at engineering.uiowa.edu> a écrit :
>
> What do you mean by:
> 'use for as anchor for the radius server certificate defined in certificate_file'
>
> The radius server certificate pointed to by certificate_file (EG the thing you got from "Let's Encrypt") does not need to contain a 'anchor CA' component.
> The only thing it should contain is the actual server "leaf" cert and any intermediate certs leading up to but not including the issuing root ("anchor"?) CA certificate.
> The clients that connect to your radius server should have their own local copy of trusted CA certs that they use to validate your server's TTLS cert when they connect to your server.
>
> The ca_file (or ca_dir) should contain CA certs that were used to issue any client TLS certs that you want to trust, it does not need to contain anything else.
OK, that’s where I was unsure.
I can put in certificate_file the fullchain of the LE certificate, and in ca_file the root + intermediates of the internal PKI?
Reading the comments in the configuration file, I was misunderstanding that if certificate_file had the fullchain, then ca_file cannot be used.
My bad
More information about the Freeradius-Users
mailing list