[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Freeradius and Android, TLS Internal Error
From:       Matthew Newton via Freeradius-Users <freeradius-users () lists ! freeradius ! org>
Date:       2024-02-23 11:49:14
Message-ID: a7b503e7-b25f-47f4-a401-dc45405faa43 () freeradius ! org
[Download RAW message or body]



On 23/02/2024 11:01, Lorenzo Mirabella wrote:
> ca_file = ${cadir}/fullchain.pem

A separate point, do NOT add this line.

It is the root CA that FreeRADIUS will use to verify client 
certificates. i.e. if a client comes along and tries to authenticate 
with EAP-TLS and presents a certificate from that root, they will be 
accepted.

Which means in your situation, anyone with a LetsEncrypt will be able to 
authenticate. This is certainly not what you want.

For EAP-TLS, set it to a private root CA. For any other EAP type, leave 
it unset.

-- 
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]