[RADIATOR] Differences in specifying EAP certificates in configuration
Heikki Vatiainen
hvn at open.com.au
Mon Jun 9 14:34:23 CDT 2014
On 06/09/2014 09:55 PM, Johnson, Neil M wrote:
> Should I be doing this:
>
> EAPTLS_CAFile %D/certificates/prod2017/net-auth-1_its_uiowa_edu.cer
> EAPTLS_CertificateFile %D/certificates/prod2017/net-auth-1_its_uiowa_edu_cert.cer
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/prod2017/privateKey.key
> EAPTLS_PrivateKeyPassword <Secret>
I think this works the same as the other example below.
A thing to note seems to be that with CertificateChainFile the server
certificate must be the first certificate, just like you have.
I think the difference between CAFile and CertificateChainFile becomes
important when client certificate is required. For example, with EAP-TLS
the clients may have a different root CA than the server does. In this
case you'd specify the server side certificates with
CertificateChainFile and the client side with CAFile.
> Or should I be doing this:
>
> EAPTLS_CertificateChainFile %D/certificates/prod2017/net-auth-1_its_uiowa_edu.cer
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/prod2017/privateKey.key
> EAPTLS_PrivateKeyPassword <Secret>
>
> Where:
> File: net-auth-1_its_uiowa_edu_cert just contains the Server Certificate
> and
> File: net-auth-1_its_uiowa_edu.cer contains a chain of certificates starting with the server certificate, followed by an intermediate certificate, and then finally the CA certificate.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list