<html><body><div><span>I am trying to configure free radius with multiple <span class="bold highlight search-highlight">ROOT</span> <span class="bold highlight search-highlight">CA</span>'s. This is not a products environment it is purely a test environment. We need the ability to test out products against <span class="bold highlight search-highlight">freeradius</span> and other radius servers. using multiple different certificate sizes and <span class="bold highlight search-highlight">ROOT</span> <span class="bold highlight search-highlight">CA</span>'s. </span><br><br><span>I currently have the following in my EAP.conf file. Based on the way I read the eap.conf file this would be the correct way of doing it. Here is what happens. I <span class="bold highlight search-highlight">can</span> authenticate against the first <span class="bold highlight search-highlight">ROOT</span> <span class="bold highlight search-highlight">CA</span> no matter which one it is as long as its the first in the <span class="bold highlight search-highlight">list</span>. its like all other <span class="bold highlight search-highlight">CA</span>'s are ignored. In the below as you <span class="bold highlight search-highlight">can</span> see I have commented out the first few <span class="bold highlight search-highlight">ROOT</span> <span class="bold highlight search-highlight">CAs</span> and the 1024ca.pem is the current first in the <span class="bold highlight search-highlight">list</span>. I am able to authenticate against this one but none past. if I comment out 1024 then I <span class="bold highlight search-highlight">can</span> authenticate against the next. Any help would be greatly appreciated. </span><br><br>I had read on another forum that in order to support multiple ROOT CAs you just put them all in the same file. I tried this as well with just the certs as well as with the certs and the private keys neither seemed to work. I believe that was on a Radius 1.x server though so maybe <br><br><br><span><span class="bold highlight search-highlight">Freeradius</span> 2.1.10 </span><br><span>Ubuntu 10.04 </span><br><br><span>Thanks, </span><br><span> #certdir = ${confdir}/certs </span><br><span> #<span class="bold highlight search-highlight">cadir</span> = ${confdir}/certs </span><br><br><span> #certdir = /etc/<span class="bold highlight search-highlight">freeradius</span>/certs20080204 </span><br><span> #<span class="bold highlight search-highlight">cadir</span> = /etc/<span class="bold highlight search-highlight">freeradius</span>/certs20080204 </span><br><span> certdir = /etc/<span class="bold highlight search-highlight">freeradius</span>/Certs11-20-2011/client/pem </span><br><span> <span class="bold highlight search-highlight">cadir</span> = /etc/<span class="bold highlight search-highlight">freeradius</span>/Certs11-20-2011/<span class="bold highlight search-highlight">CA</span>/pem </span><br><br><br><span> #private_key_password = whatever </span><br><span> #private_key_file = ${certdir}/server.pem </span><br><br><span> private_key_password = passphrase </span><br><span> #private_key_file = ${certdir}/1010Client.pem </span><br><span> private_key_file = ${certdir}/1024_1024client.pem </span><br><br><span> # If Private key & Certificate are located in </span><br><span> # the same file, then private_key_file & </span><br><span> # certificate_file must contain the same file </span><br><span> # name. </span><br><span> # </span><br><span> # If <span class="bold highlight search-highlight">CA_file</span> (below) is not used, then the </span><br><span> # certificate_file below MUST include not </span><br><span> # only the server certificate, but ALSO all </span><br><span> # of the <span class="bold highlight search-highlight">CA</span> certificates used to sign the </span><br><span> # server certificate. </span><br><span> #certificate_file = ${certdir}/server.pem </span><br><br><span> #certificate_file = ${certdir}/1010Client.pem </span><br><span> certificate_file = ${certdir}/1024_1024client.pem </span><br><br><span> # <span class="bold highlight search-highlight">Trusted</span> <span class="bold highlight search-highlight">Root</span> <span class="bold highlight search-highlight">CA</span> <span class="bold highlight search-highlight">list</span> </span><br><span> # </span><br><span> # ALL of the <span class="bold highlight search-highlight">CA</span>'s in this <span class="bold highlight search-highlight">list</span> will be <span class="bold highlight search-highlight">trusted</span> </span><br><span> # to issue client certificates for authentication. </span><br><span> # </span><br><span> # In general, you should use self-signed </span><br><span> # certificates for 802.1x (EAP) authentication. </span><br><span> # In that <span class="bold highlight search-highlight">case</span>, this <span class="bold highlight search-highlight">CA</span> file should contain </span><br><span> # *one* <span class="bold highlight search-highlight">CA</span> certificate. </span><br><span> # </span><br><span> # This parameter is used only for EAP-TLS, </span><br><span> # when you issue client certificates. If you do </span><br><span> # not use client certificates, and you do not want </span><br><span> # to permit EAP-TLS authentication, then delete </span><br><span> # this configuration item. </span><br><span> #<span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/<span class="bold highlight search-highlight">ca</span>.pem </span><br><br><span> #<span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/PV_10_CA.pem </span><br><span> #<span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/<span class="bold highlight search-highlight">CA</span>/pem/1024ca.pem </span><br><span> #<span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/512ca.pem </span><br><span> #<span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/768ca.pem </span><br><span> <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/1024ca.pem </span><br><span> <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/1280ca.pem </span><br><span> <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/1536ca.pem </span><br><span> <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/1792ca.pem </span><br><span> <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/2048ca.pem </span><br><span> <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/4096ca.pem </span></div><div><br></div><div><br></div><div><pre style="font-family: Helvetica,Arial,sans-serif; font-size: 13px" data-mce-style="font-family: Helvetica,Arial,sans-serif; font-size: 13px;">Thanks,
Kris Armstrong
CCNP, CCDP, MCSE, Security+, A+
Cell Ph:719.440.30.79
Google Voice: 719.357.5821
Fax Ph: 866.390.8416
E-Mail: kris.armstrong@me.com
Skype: kris.armstrong@gmail.com
FaceTime: kris.armstrong@me.com</pre></div></body></html>