G'day As a (hopefully) answer-able question to those experienced with EAP-TLS that I've been twisting my brain:
Usually I've seen example for EAP-TLS setups that used a server-side certificate issued from the same CA as the one it should allow EAP-TLS clients who present their certificate to FR. Am I guessing correctly that CA_file can contain a different list of CA(s) than the server certificate that is shown to the client? (Taken from Debian's FR 2.1.12) eap.conf: tls { [...] certificate_file = "/etc/freeradius/ssl/cert.p # Trusted Root CA list CA_file = "/etc/univention/ssl/ucsCA/CAcert.pem" [...] The real-life example would be that people could use PEAP-MSCHAPv2 for credential-based logins (server certificate being signed by a "trusted" external CA) while some devices could login using EAP-TLS but only when they present a certificate from an internal CA (that usually isn't being trusted by devices outside of control of IT department). Best regards Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html