FreeRadius Ceritificate Migration

John Dennis jdennis at redhat.com
Mon May 13 21:30:06 CEST 2013 

On 05/13/2013 01:46 PM, Mitch Yackobeck wrote:
> Good afternoon All,
>
> I've taken some time over the last couple little while to work with my
> test environment in getting it upto date and trying out some issues with
> regards authenticating against multiple certificates on a single SSID
> for the purpose of migration to a new root certificate while still
> continuing to function with the old in the transition phase.
>
> What I'm finding tho is that when I try to authenticate against that
> particular server, which now has both its own certs applied and the root
> cert from my production server as well to replicate the instance of a
> new root being installed, is that I can authenticate a user with the
> specific certs for the test server, but not a client using certs for the
> production server.
>
> I've taken a few captures of the server coming online using -X, an
> attempted connection with the production certs and also the
> configuration of my eap.conf file.  I can see in initial stages that the
> EAP-TLS actually reads a bit of what the client is passing, enough to
> say that it has a valid client cert.   But when it comes back to dive
> deeper into the cert, it appears that it does not recognize the CA as
> being there and bottoms out the request with a reject.
>
> I've got both roots in a single file in the directory specified and when
> I do an openssl verify on the roots, it does come back :ok.   I found
> some articles on how to link up the new certificate in openssl so that
> it can at least read it properly as trusted.  But the FR server appears
> not to recognize it on the second pass.   Perhaps I'm missing something,
> but is it even possible to authenticate using both root CA's at one time?
>
> Thank you in advance for any assistance / guidance anyone can provide
> with this.

A couple of hints:

Do write comprehensible prose where you state the goal, what you've 
done, and your analysis.

Do not send jpg images!

Do send the output of radiusd -X.

Since you live and work in Ontario I can only assume you're a native 
English speaker. Reread your first paragraph, it's incomprehensible 
gibberish. In order to communicate with others it would behoove you to 
learn sentence and paragraph structure. Do you really work for a school 
system? Sorry, I don't mean to be snarky but I read your email 3 times 
and although I can approximate the problem you're encountering it's so 
lost amid the poor writing I for one am not inclined to help. Writing 
still matters and pictures will never be a substitute.

Would you like to try this again but with something comprehensible and 
which follows the rules of the list (i.e. include the output of radiusd -X).

More information about the Freeradius-Users mailing list