[RADIATOR] Differences in specifying EAP certificates in configuration

[Heikki Vatiainen]

On 06/09/2014 09:55 PM, Johnson, Neil M wrote:
 	
> Should I be doing this:
> 
> 		EAPTLS_CAFile %D/certificates/prod2017/net-auth-1_its_uiowa_edu.cer
> 		EAPTLS_CertificateFile %D/certificates/prod2017/net-auth-1_its_uiowa_edu_cert.cer
> 		EAPTLS_CertificateType PEM
> 		EAPTLS_PrivateKeyFile %D/certificates/prod2017/privateKey.key
> 		EAPTLS_PrivateKeyPassword <Secret>

I think this works the same as the other example below.

A thing to note seems to be that with CertificateChainFile the server
certificate must be the first certificate, just like you have.

I think the difference between CAFile and CertificateChainFile becomes
important when client certificate is required. For example, with EAP-TLS
the clients may have a different root CA than the server does. In this
case you'd specify the server side certificates with
CertificateChainFile and the client side with CAFile.

> Or should I be doing this:
> 
> 		EAPTLS_CertificateChainFile %D/certificates/prod2017/net-auth-1_its_uiowa_edu.cer
> 		EAPTLS_CertificateType PEM
> 		EAPTLS_PrivateKeyFile %D/certificates/prod2017/privateKey.key
> 		EAPTLS_PrivateKeyPassword <Secret>
> 
> Where:
> File: net-auth-1_its_uiowa_edu_cert just contains the Server Certificate
> and
> File: net-auth-1_its_uiowa_edu.cer contains a chain of certificates starting with the server certificate, followed by an intermediate certificate, and then finally the CA certificate.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.