Multiple EAP-TLS modules with different certificates

Alan DeKok aland at
Wed Mar 31 21:30:50 CEST 2010

Thibault Le Meur wrote:
> In order to avoid a complete breakout when I change the certificate of
> my radius server (because a manual operation is required on the
> supplicant side to select the new CA), I'd like to configure FR so that:
> * when the WiFi client connects to the SSID1, the server uses the old
> certificate and key,
> * and when the client uses the SSID2, the radius server uses the new
> certificate and key
> Is this possible ?

  Yes.  Others use multiple certs && multiple EAP modules.

> The result so far is that with such setup my wireless clients can't
> connect at all when they check the certificate, but can connect when
> they don't (no matter what setup is done on the client side). Of course
> I've installed the 2 certificates on the client to check this.
> A quick look at FR debug logs confirms, as far as I can read them, that
> the client is refusing the radius server certificate.

  I don't think that's in the debug log.

> Is there a client tool to check which certificate is used by FR ?

  wireshark might do it.

> Have I missed something in the setup ?

  Did you test each piece in isolation before putting it all together?

> I've tried to turn on Windows EAP log, but they aren't very easy to read
> as far as TLS/TTLS/PEAP authentication is concerned !

  They're horrible...

  Alan DeKok.

More information about the Freeradius-Users mailing list