<html><body><div><span>I am trying to configure free radius with multiple <span class="bold highlight search-highlight">ROOT</span> <span class="bold highlight search-highlight">CA</span>'s.  This is not a products environment it is purely a test environment.  We need the ability to test out products against <span class="bold highlight search-highlight">freeradius</span> and other radius servers. using multiple different certificate sizes and <span class="bold highlight search-highlight">ROOT</span> <span class="bold highlight search-highlight">CA</span>'s. </span><br><br><span>I currently have the following in my EAP.conf file.  Based on the way I read the eap.conf file this would be the correct way of doing it.  Here is what happens.  I <span class="bold highlight search-highlight">can</span> authenticate against the first <span class="bold highlight search-highlight">ROOT</span> <span class="bold highlight search-highlight">CA</span> no matter which one it is as long as its the first in the <span class="bold highlight search-highlight">list</span>. its like all other <span class="bold highlight search-highlight">CA</span>'s are ignored.  In the below as you <span class="bold highlight search-highlight">can</span> see I have commented out the first few <span class="bold highlight search-highlight">ROOT</span> <span class="bold highlight search-highlight">CAs</span> and the 1024ca.pem is the current first in the <span class="bold highlight search-highlight">list</span>.  I am able to authenticate against this one but none past.  if I comment out 1024 then I <span class="bold highlight search-highlight">can</span> authenticate against the next.    Any help would be greatly appreciated. </span><br><br>I had read on another forum that in order to support multiple ROOT CAs you just put them all in the same file. I tried this as well with just the certs as well as with the certs and the private keys neither seemed to work.  I believe that was on a Radius 1.x server though so maybe <br><br><br><span><span class="bold highlight search-highlight">Freeradius</span> 2.1.10 </span><br><span>Ubuntu 10.04 </span><br><br><span>Thanks, </span><br><span>                #certdir = ${confdir}/certs </span><br><span>                        #<span class="bold highlight search-highlight">cadir</span> = ${confdir}/certs </span><br><br><span>                        #certdir = /etc/<span class="bold highlight search-highlight">freeradius</span>/certs20080204 </span><br><span>                        #<span class="bold highlight search-highlight">cadir</span> = /etc/<span class="bold highlight search-highlight">freeradius</span>/certs20080204 </span><br><span>                        certdir = /etc/<span class="bold highlight search-highlight">freeradius</span>/Certs11-20-2011/client/pem </span><br><span>                        <span class="bold highlight search-highlight">cadir</span> = /etc/<span class="bold highlight search-highlight">freeradius</span>/Certs11-20-2011/<span class="bold highlight search-highlight">CA</span>/pem </span><br><br><br><span>                        #private_key_password = whatever </span><br><span>                        #private_key_file = ${certdir}/server.pem </span><br><br><span>                        private_key_password = passphrase </span><br><span>                        #private_key_file = ${certdir}/1010Client.pem </span><br><span>                        private_key_file = ${certdir}/1024_1024client.pem </span><br><br><span>                        #  If Private key & Certificate are located in </span><br><span>                        #  the same file, then private_key_file & </span><br><span>                        #  certificate_file must contain the same file </span><br><span>                        #  name. </span><br><span>                        # </span><br><span>                        #  If <span class="bold highlight search-highlight">CA_file</span> (below) is not used, then the </span><br><span>                        #  certificate_file below MUST include not </span><br><span>                        #  only the server certificate, but ALSO all </span><br><span>                        #  of the <span class="bold highlight search-highlight">CA</span> certificates used to sign the </span><br><span>                        #  server certificate. </span><br><span>                        #certificate_file = ${certdir}/server.pem </span><br><br><span>                        #certificate_file = ${certdir}/1010Client.pem </span><br><span>                        certificate_file = ${certdir}/1024_1024client.pem </span><br><br><span>                        #  <span class="bold highlight search-highlight">Trusted</span> <span class="bold highlight search-highlight">Root</span> <span class="bold highlight search-highlight">CA</span> <span class="bold highlight search-highlight">list</span> </span><br><span>                        # </span><br><span>                        #  ALL of the <span class="bold highlight search-highlight">CA</span>'s in this <span class="bold highlight search-highlight">list</span> will be <span class="bold highlight search-highlight">trusted</span> </span><br><span>                        #  to issue client certificates for authentication. </span><br><span>                        # </span><br><span>                        #  In general, you should use self-signed </span><br><span>                        #  certificates for 802.1x (EAP) authentication. </span><br><span>                        #  In that <span class="bold highlight search-highlight">case</span>, this <span class="bold highlight search-highlight">CA</span> file should contain </span><br><span>                        #  *one* <span class="bold highlight search-highlight">CA</span> certificate. </span><br><span>                        # </span><br><span>                        #  This parameter is used only for EAP-TLS, </span><br><span>                        #  when you issue client certificates.  If you do </span><br><span>                        #  not use client certificates, and you do not want </span><br><span>                        #  to permit EAP-TLS authentication, then delete </span><br><span>                        #  this configuration item. </span><br><span>                        #<span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/<span class="bold highlight search-highlight">ca</span>.pem </span><br><br><span>                        #<span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/PV_10_CA.pem </span><br><span>                        #<span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/<span class="bold highlight search-highlight">CA</span>/pem/1024ca.pem </span><br><span>                        #<span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/512ca.pem </span><br><span>                        #<span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/768ca.pem </span><br><span>                        <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/1024ca.pem </span><br><span>                        <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/1280ca.pem </span><br><span>                        <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/1536ca.pem </span><br><span>                        <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/1792ca.pem </span><br><span>                        <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/2048ca.pem </span><br><span>                        <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/4096ca.pem </span></div><div><br></div><div><br></div><div><pre style="font-family: Helvetica,Arial,sans-serif; font-size: 13px" data-mce-style="font-family: Helvetica,Arial,sans-serif; font-size: 13px;">Thanks,

Kris Armstrong
CCNP, CCDP, MCSE, Security+, A+
Cell Ph:719.440.30.79
Google Voice: 719.357.5821
Fax Ph: 866.390.8416
E-Mail: kris.armstrong@me.com
Skype: kris.armstrong@gmail.com
FaceTime: kris.armstrong@me.com</pre></div></body></html>