Hi, > In my eap.conf I see the following: > # This parameter is used only for EAP-TLS, > # when you issue client certificates. If you do > # not use client certificates, and you do not want > # to permit EAP-TLS authentication, then delete > # this configuration item. > #CA_file = ${cadir}/ca.pem
# If CA_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = ${certdir}/radius-server.crt so, if you dont use CA_file then you must have the server cert AND its CA chained in the certificate_file > And I'm getting these errors logged from time to time. > Feb 23 13:05:07 avocet radiusd[15992]: TLS Alert read:fatal:unknown CA Feb > 23 13:05:07 avocet radiusd[15992]: rlm_eap: SSL error error:14094418:SSL > routines:SSL3_READ_BYTES:tlsv1 alert unknown ca the client has tried to use the wrong CA to deal with you. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html