Multiple EAP-TLS modules with different certificates

Thibault Le Meur Thibault.LeMeur at
Wed Mar 31 16:54:02 CEST 2010


I'm about to change the CA of my radius server certificate. At the same 
time I've installed a new wifi network and plan to change the SSID as 
well (authentication is EAP-TTLS or EAP-PEAP).

In order to avoid a complete breakout when I change the certificate of 
my radius server (because a manual operation is required on the 
supplicant side to select the new CA), I'd like to configure FR so that:
* when the WiFi client connects to the SSID1, the server uses the old 
certificate and key,
* and when the client uses the SSID2, the radius server uses the new 
certificate and key

Is this possible ?

I've already tried such a configuration by:
* defining 2 eap modules let's say "eapOld" and "eapNew" (each with its 
own key and cert)
* making sure that depending on the SSID, the access-point sets a 
different NAS-Identifier (let's say ID1 and ID2) in the Access-request
* in the virtual FR server, I've used unlang to run either eap module:
   in authorize:
                       if ("%{request:NAS-Identifier}" == ID1) {
                               eapOld {
                                   ok = return

                       if ("%{request:NAS-Identifier}" == ID2) {
                               eapNew {
                                   ok = return
 in authenticate:
        Auth-Type eapNew {
        Auth-Type eapOld {
in eap.conf: the two eap modules only differ from their certificate/key, 
they redirect to the same inner-tunnel virtual server.

The result so far is that with such setup my wireless clients can't 
connect at all when they check the certificate, but can connect when 
they don't (no matter what setup is done on the client side). Of course 
I've installed the 2 certificates on the client to check this.

A quick look at FR debug logs confirms, as far as I can read them, that 
the client is refusing the radius server certificate.

Is there a client tool to check which certificate is used by FR ?
Have I missed something in the setup ?

I've tried to turn on Windows EAP log, but they aren't very easy to read 
as far as TLS/TTLS/PEAP authentication is concerned !

Environement: FR is 2.1.1, client used Windows XP SP3 and Windows 7.

Thanks a lot for your ideas, proposals, ...

Best regards,

More information about the Freeradius-Users mailing list