FreeRADIUS with 2 certs/CAs etc

[Alan Buxey]

hi,

in the UK I deal with various questions regarding FreeRADIUS
configuration and abilities - occasionally a question pops up that
I'm very unfamilar with or havent got a direct clue to answer..
today one of those reemerged and as this might affect anyone at any point
I was looking for best practice or a methodology.

Say you have a nice FR setup...all is going well and everything is fine
but then you have an issue with the certificate - eg its going to
expire , or its been revoked...then you are going to have to have a new
certificate for your FR server - but your clients will have the old
certificate and CA - and your new clients will have the new cert and CA..and
you might not be able to sort out all your clients for some time - hopefully
before the final day of cert validity!

anyway, in summary, your RADIUS server has to answer to the old clients
and the new clients. What is the best practice way or configuration to ensure
that your RADIUS server can be both people...old servercert+old_CA and
new servertcert+new_CA so that it can deal with both types of clients.

I'm thinking 2 virtual servers....one with old eap.conf and the other
with neweap.conf with each virtual server ready to deal with each type of client
- but then how to direct the incoming EAP to the right way. 

I cant see the normal fall-through group working --because the client has to
create the EAP tunnel... or would a normal fallthrough system work...
we send it to eap1 and if it fails send it to eap2 (which should be okay if
client config okay!) ?

I can envisage fronting it with a.n.other RADIUS solution which will proxy
the request through a remote server list UNTIL it doesnt get a REJECT back..
but i dont want additional software in the mix

thanks

alan