EAP Certificates

Any RADIUS server performing TLS-based EAP must have a server certificate and associated key. This certificate can be signed by a public CA which the end devices already trust, or it can be signed by a self-signed CA managed by the organization. If using a self-signed CA, configure the supplicant to trust the self-signed CA for EAP server authentication purposes. This is often done with a managed security policy.

It’s also possible that a supplicant is instructed to trust an “anchor” certificate in a chain of certificates. The server certificate in this chain has been signed by an intermediate CA certificate, which may have been signed by another CA certificate, and so on, up to a self-signed root CA certificate.

The trust anchor configured on the end device may not be the root CA, in which case this is referred to as validating a "partial chain" as shown below.

The simplest set up for the server certificate for FreeRADIUS is to put all certificates into the certificate file. Put the server certificate and any intermediate certificates needed to reach the certificate trusted by the end device. This file must start with the server certificate and work its way up the chain.

While the certificate file can include the certificate trusted by the supplicant, this may cause larger packet exchanges between FreeRADIUS and the end device. Some supplicants may also fail to trust the server if this certificate is included. Therefore, it’s recommended to stop the certificate file at the certificate in the chain that’s immediately before the one configured as a trust anchor.

In the example above, this means the server certificate file should contain:

When using “mutual TLS", FreeRADIUS needs to know which CAs to trust to authenticate the end device. The end devices present certificates to the server like EAP-TLS.

The easiest way to manage this is to put any CAs that must be trusted in a single file (named ca_file). Alternatively, the trusted certificates can be placed in a directory (named ca_dir).

CAs used for signing end device certificates should NOT be public CAs. Trusting public CAs usually means that an end device presenting any certificate signed by that same CA is trusted. If client authentication uses a public CA, the acceptable client certificates must be resticted (using the check_cert_cn option or the check-eap-tls virtual server).

However, a self-signed CA used only for EAP authentication, whose private key is known only to the organization, doesn’t have this problem.

If a CA is not already in use for signing certificates then FreeRADIUS ships with scripts which can create a CA, server certificates, and client certificates.

Full details of how to generate certificates can be found here and the corresponding raddb/certs/Makefile.

Certificates to be loaded onto the RADIUS servers must be copied into raddb/certs directory. Use file names which help to identify what the certificates are.

The freeradius certificates required at a minimum are:

If additional certificates are needed for different EAP methods (e.g. EAP-PEAP using one server certificate and EAP-TLS using another) then generate and add the required certificates into this directory.

Certificate settings for EAP are found in the eap module configuration located in the raddb/mods-enabled/eap directory.

If a common set of certificates is used by all EAP methods then it will be set in a tls-config section called tls-common. This section is referenced within each EAP method that’s enabled.

This section contains at least the following:

If applicable, the private_key_password item must be un-commented and set to the password used when generating the private key,

The certificate_file and private_key_file items refer to files that contain the server certificate (followed by intermediate CAs up to but not including the CA trusted by supplicants) and the private key corresponding to the server certificate, respectively.

By setting the auto_chain item to no the certificate chain will be presented to the end device as it is in the server certificate file. With auto_chain set to yes OpenSSL automatically creates a chain. The chain is based on the certificates in ca_file and ca_dir. OpenSSL’s automatic chain building behaviour differs greatly between versions and may result in a chain that may not reflect what the supplicant expects.

The ca_file item refers to a file that contains CA certificates which FreeRADIUS trusts when checking client certificates.

The ca_dir item refers to a directory containing CA certificates which FreeRADIUS trusts when checking client certificates. Additionally, any Certificate Revocation Lists (CR) are included. After modifying this directory the c_rehash command must be run.

Many supplicants won’t send a client certificate unless its issuer is in the list of trusted certificates sent by the server. Also, the client’s issuer may be in the configured client certificate chain. Also. The supplicant won’t send a certificate if the list of trusted certificates is empty. This means no ca_file is configured with trusted certificates placed in the ca_dir.

Many supplicants won’t send a client certificate unless its issuer (or one of the configured client certificate chain issuers) is in the list of trusted certificates sent by the server. Also, the supplicant won’t send a certificate if the list of trusted certificates is empty. This means no ca_file is configured with trusted certificates placed in the ca_dir.

The tls_min_version and tls_max_version items control which TLS versions are acceptable.

In order to allow supplicants to connect using TLS versions 1.0 or 1.1 the option cipher_list within the tls-config may need to be set as follows

This situation arises if the server’s system default for SECLEVEL is higher.

For strong security we recommend setting tls_min_version to 1.2 or 1.3.However this setting might prevent end devices on older operating systems from connecting.