Reimer Karlsen-Masur, DFN-CERT escribió: Hi Karlsen,
thanks for the answer, please see inline... > > Argh, your misunderstanding is because of the inline > documentation/default setup of the eap config file. > > *Trusted* CAs for client auth are stored in > > CA_file > > or > > CA_path > > So there is no conflict here with certificate_file option. > > And IMO usually CA_file and certificate_file should *not* contain the > same CA certs Well in my current configuration I have the RADIUS server certificate in certificate_file and CA certificate in CA_file. But with that configuration , the radius server is still sending the CA certificate. Having said that , your proposal was to not include the CA certificate in the RADIUS server certificate (in certificate_file variable) My RADIUS server certificate does not have the CA certificate included. Even so, the RADIUS server is including the CA certificate :(... any alternative solution?. > because I guess in the majority of cases the RADIUS server cert is > issued by some (commercial) server CA where as the client certs are > mostly issued by some home grown user CA. > > Saying that there might be cases where the CA certificates from > CA_file are indeed the CA chain certs of the RADIUS server > certificate..... > > ------------------------------------------------------------------------ > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
