Multiple radius servers with the same CA

sphaero arnaud at
Wed Mar 24 11:21:03 CET 2010

Hi All,

I've been searching the archives for a while on some guidance into setting
up multiple radius servers using the same CA for use with EAP/TTLS.

I've generated a CA which is distributed to all the clients (i.e. SecureW2).
I've got 2 radius servers for redundancy. All NAS devices have two radius
server configured.

I'm using the scripts from freeradius 2.0 to generate the certificates
according to instructions in the README. I've setup the ca.cnf and
server.cnf (not using eap/tls so I skip

On the primary radius server I generated the certificates by issuing:

Now on the second radius server I just copy the following files:

and issue: 
make server
make dh

This seems to have worked. But is this really correct? 
I'm renewing one radius server and did this procedure again but now I'm
receiving "chain could not be validated" errors in SecureW2. Radius log
seems fine however EAP communication is not finished which corresponds with
the client stopping communication since it can't validate the certificate.
I'm really getting lost in the SSL jungle? I would really like to understand
how this is done right, since it is about security.


View this message in context:
Sent from the FreeRadius - User mailing list archive at

More information about the Freeradius-Users mailing list