<html><body><div><span>I am trying to configure free radius with multiple <span class="bold highlight search-highlight">ROOT</span> <span class="bold highlight search-highlight">CA</span>'s. This is not a products environment it is purely a test environment. We need the ability to test out products against <span class="bold highlight search-highlight">freeradius</span> and other radius servers. using multiple different certificate sizes and <span class="bold highlight search-highlight">ROOT</span> <span class="bold highlight search-highlight">CA</span>'s.
</span><br><br><span>I currently have the following in my EAP.conf file.
Based on the way I read the eap.conf file this would be the correct
way of doing it. Here is what happens. I <span class="bold highlight search-highlight">can</span> authenticate against the first <span class="bold highlight search-highlight">ROOT</span> <span class="bold highlight search-highlight">CA</span> no matter which one it is as long as its the first in the <span class="bold highlight search-highlight">list</span>. its like all other <span class="bold highlight search-highlight">CA</span>'s are ignored. In the below as you <span class="bold highlight search-highlight">can</span> see I have commented out the first few <span class="bold highlight search-highlight">ROOT</span> <span class="bold highlight search-highlight">CAs</span> and the 1024ca.pem is the current first in the <span class="bold highlight search-highlight">list</span>. I am able to authenticate against this one but none past. if I comment out 1024 then I <span class="bold highlight search-highlight">can</span> authenticate against the next. Any help would be greatly appreciated.
</span><br><br>I had read on another forum that in order to support multiple ROOT CAs you just put them all in the same file. I tried this as well with just the certs as well as with the certs and the private keys neither seemed to work. I believe that was on a Radius 1.x server though so maybe there is a change in the 2.x? Any thoughts or ideas that I might be missing would be greatly appreciated thanks in advance.<br><br><br><span><span class="bold highlight search-highlight">Freeradius</span> 2.1.10
</span><br><span>Ubuntu 10.04
</span><br><br><span>Thanks,
</span><br><span> #certdir = ${confdir}/certs
</span><br><span> #<span class="bold highlight search-highlight">cadir</span> = ${confdir}/certs
</span><br><br><span> #certdir = /etc/<span class="bold highlight search-highlight">freeradius</span>/certs20080204
</span><br><span> #<span class="bold highlight search-highlight">cadir</span> = /etc/<span class="bold highlight search-highlight">freeradius</span>/certs20080204
</span><br><span> certdir = /etc/<span class="bold highlight search-highlight">freeradius</span>/Certs11-20-2011/client/pem
</span><br><span> <span class="bold highlight search-highlight">cadir</span> = /etc/<span class="bold highlight search-highlight">freeradius</span>/Certs11-20-2011/<span class="bold highlight search-highlight">CA</span>/pem
</span><br><br><br><span> #private_key_password = whatever
</span><br><span> #private_key_file = ${certdir}/server.pem
</span><br><br><span> private_key_password = passphrase
</span><br><span> #private_key_file = ${certdir}/1010Client.pem
</span><br><span> private_key_file = ${certdir}/1024_1024client.pem
</span><br><br><span> # If Private key & Certificate are located in
</span><br><span> # the same file, then private_key_file &
</span><br><span> # certificate_file must contain the same file
</span><br><span> # name.
</span><br><span> #
</span><br><span> # If <span class="bold highlight search-highlight">CA_file</span> (below) is not used, then the
</span><br><span> # certificate_file below MUST include not
</span><br><span> # only the server certificate, but ALSO all
</span><br><span> # of the <span class="bold highlight search-highlight">CA</span> certificates used to sign the
</span><br><span> # server certificate.
</span><br><span> #certificate_file = ${certdir}/server.pem
</span><br><br><span> #certificate_file = ${certdir}/1010Client.pem
</span><br><span> certificate_file = ${certdir}/1024_1024client.pem
</span><br><br><span> # <span class="bold highlight search-highlight">Trusted</span> <span class="bold highlight search-highlight">Root</span> <span class="bold highlight search-highlight">CA</span> <span class="bold highlight search-highlight">list</span>
</span><br><span> #
</span><br><span> # ALL of the <span class="bold highlight search-highlight">CA</span>'s in this <span class="bold highlight search-highlight">list</span> will be <span class="bold highlight search-highlight">trusted</span>
</span><br><span> # to issue client certificates for authentication.
</span><br><span> #
</span><br><span> # In general, you should use self-signed
</span><br><span> # certificates for 802.1x (EAP) authentication.
</span><br><span> # In that <span class="bold highlight search-highlight">case</span>, this <span class="bold highlight search-highlight">CA</span> file should contain
</span><br><span> # *one* <span class="bold highlight search-highlight">CA</span> certificate.
</span><br><span> #
</span><br><span> # This parameter is used only for EAP-TLS,
</span><br><span> # when you issue client certificates. If you do
</span><br><span> # not use client certificates, and you do not want
</span><br><span> # to permit EAP-TLS authentication, then delete
</span><br><span> # this configuration item.
</span><br><span> #<span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/<span class="bold highlight search-highlight">ca</span>.pem
</span><br><br><span> #<span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/PV_10_CA.pem
</span><br><span> #<span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/<span class="bold highlight search-highlight">CA</span>/pem/1024ca.pem
</span><br><span> #<span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/512ca.pem
</span><br><span> #<span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/768ca.pem
</span><br><span> <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/1024ca.pem
</span><br><span> <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/1280ca.pem
</span><br><span> <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/1536ca.pem
</span><br><span> <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/1792ca.pem
</span><br><span> <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/2048ca.pem
</span><br><span> <span class="bold highlight search-highlight">CA_file</span> = ${<span class="bold highlight search-highlight">cadir</span>}/4096ca.pem
</span></div><div><br></div><div><br></div><div><pre style="font-family: Helvetica,Arial,sans-serif; font-size: 13px" data-mce-style="font-family: Helvetica,Arial,sans-serif; font-size: 13px;">Thanks,
Kris Armstrong
</pre></div></body></html>