3.8.4. EAPTLS_CAFile Previous topic Parent topic Child topic Next topic

For TLS based EAP types such as TLS, TTLS and PEAP, this parameter specifies the name of a file containing Certificate Authority (CA) root certificates that may be required to validate TLS client certificates. The certificates must be in PEM format. The file can contain several root certificates for one or more CA's. Radiator looks for root certificates first in EAPTLS_CAFile, then in EAPTLS_CAPath, so there usually is no need to set both.
EAPTLS_CAFile is expected to contain a stack of CA one or more CA certificates that will be used to validate client certificates. The list of CA issuers in that is also sent to the client during handshaking to tell the client which certificates Radiator accepts.
So, EAPTLS_CAFile must contain all the CA root and intermediate certificates required to validate all the various client certificates that may be installed on your supplicant devices.
Special characters are supported.