<html><body><div><span>I am trying to configure free radius with multiple <span class="bold highlight search-highlight">ROOT</span> <span class="bold highlight search-highlight">CA</span>'s.  This is not a products environment it is purely a test environment.  We need the ability to test out products against <span class="bold highlight search-highlight">freeradius</span> and other radius servers. using multiple different certificate sizes and <span class="bold highlight search-highlight">ROOT</span> <span class="bold highlight search-highlight">CA</span>'s.
</span><br><br><span>I currently have the following in my EAP.conf file.
  Based on the way I read the eap.conf file this would be the correct 
way of doing it.  Here is what happens.  I <span class="bold highlight search-highlight">can</span> authenticate against the first <span class="bold highlight search-highlight">ROOT</span> <span class="bold highlight search-highlight">CA</span> no matter which one it is as long as its the first in the <span class="bold highlight search-highlight">list</span>. its like all other <span class="bold highlight search-highlight">CA</span>'s are ignored.  In the below as you <span class="bold highlight search-highlight">can</span> see I have commented out the first few <span class="bold highlight search-highlight">ROOT</span> <span class="bold highlight search-highlight">CAs</span> and the 1024ca.pem is the current first in the <span class="bold highlight search-highlight">list</span>.  I am able to authenticate against this one but none past.  if I comment out 1024 then I <span class="bold highlight search-highlight">can</span> authenticate against the next.    Any help would be greatly appreciated.
</span><br><br>I had read on another forum that in order to support multiple ROOT CAs you just put them all in the same file. I tried this as well with just the certs as well as with the certs and the private keys neither seemed to work.  I believe that was on a Radius 1.x server though so maybe there is a change in the 2.x?  Any thoughts or ideas that I might be missing would be greatly appreciated thanks in advance.<br><br><br><span><span class="bold highlight search-highlight">Freeradius</span> 2.1.10
</span><br><span>Ubuntu 10.04
</span><br><br><span>Thanks,
</span><br><span>                #certdir = ${confdir}/certs
</span><br><span>                        #<span class="bold highlight search-highlight">cadir</span> = ${confdir}/certs
</span><br><br><span>                        #certdir = /etc/<span class="bold highlight search-highlight">freeradius</span>/certs20080204
</span><br><span>                        #<span class="bold highlight search-highlight">cadir</span> = /etc/<span class="bold highlight search-highlight">freeradius</span>/certs20080204
</span><br><span>                        certdir = /etc/<span class="bold highlight search-highlight">freeradius</span>/Certs11-20-2011/client/pem
</span><br><span>                        <span class="bold highlight search-highlight">cadir</span> = /etc/<span class="bold highlight search-highlight">freeradius</span>/Certs11-20-2011/<span class="bold highlight search-highlight">CA</span>/pem
</span><br><br><br><span>                        #private_key_password = whatever
</span><br><span>                        #private_key_file = ${certdir}/server.pem
</span><br><br><span>                        private_key_password = passphrase
</span><br><span>                        #private_key_file = ${certdir}/1010Client.pem
</span><br><span>                        private_key_file = ${certdir}/1024_1024client.pem
</span><br><br><span>                        #  If Private key & Certificate are located in
</span><br><span>                        #  the same file, then private_key_file &
</span><br><span>                        #  certificate_file must contain the same file
</span><br><span>                        #  name.
</span><br><span>                        #
</span><br><span>                        #  If <span class="bold highlight search-highlight">CA_file</span> (below) is not used, then the
</span><br><span>                        #  certificate_file below MUST include not
</span><br><span>                        #  only the server certificate, but ALSO all
</span><br><span>                        #  of the <span class="bold highlight search-highlight">CA</span> certificates used to sign the
</span><br><span>                        #  server certificate.
</span><br><span>                        #certificate_file = ${certdir}/server.pem
</span><br><br><span>                        #certificate_file = ${certdir}/1010Client.pem
</span><br><span>                        certificate_file = ${certdir}/1024_1024client.pem
</span><br><br><span>                        #  <span class="bold highlight search-highlight">Trusted</span> <span class="bold highlight search-highlight">Root</span> <span class="bold highlight search-highlight">CA</span> <span class="bold highlight search-highlight">list</span>
</span><br><span>                        #
</span><br><span>                        #  ALL of the <span class="bold highlight search-highlight">CA</span>'s in this <span class="bold highlight search-highlight">list</span> will be <span class="bold highlight search-highlight">trusted</span>
</span><br><span>                        #  to issue client certificates for authentication.
</span><br><span>                        #
</span><br><span>                        #  In general, you should use self-signed
</span><br><span>                        #  certificates for 802.1x (EAP) authentication.
</span><br><span>                        #  In that <span class="bold highlight search-highlight">case</span>, this <span class="bold highlight search-highlight">CA</span> file should contain
</span><br><span>                        #  *one* <span class="bold highlight search-highlight">CA</span> certificate.
</span><br><span>                        #
</span><br><span>                        #  This parameter is used only for EAP-TLS,
</span><br><span>                        #  when you issue client certificates.  If you do
</span><br><span>                        #  not use client certificates, and you do not want
</span><br><span>                        #  to permit EAP-TLS authentication, then delete
</span><br><span>                        #  this configuration item.
</span><br><span>                        #<span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/<span class="bold highlight search-highlight">ca</span>.pem
</span><br><br><span>                        #<span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/PV_10_CA.pem
</span><br><span>                        #<span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/<span class="bold highlight search-highlight">CA</span>/pem/1024ca.pem
</span><br><span>                        #<span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/512ca.pem
</span><br><span>                        #<span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/768ca.pem
</span><br><span>                        <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/1024ca.pem
</span><br><span>                        <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/1280ca.pem
</span><br><span>                        <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/1536ca.pem
</span><br><span>                        <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/1792ca.pem
</span><br><span>                        <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/2048ca.pem
</span><br><span>                        <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/4096ca.pem
        
        </span></div><div><br></div><div><br></div><div><pre style="font-family: Helvetica,Arial,sans-serif; font-size: 13px" data-mce-style="font-family: Helvetica,Arial,sans-serif; font-size: 13px;">Thanks,

Kris Armstrong
</pre></div></body></html>