Thibault Le Meur wrote:
In order to avoid a complete breakout when I change the certificate of my radius server (because a manual operation is required on the supplicant side to select the new CA), I'd like to configure FR so that: * when the WiFi client connects to the SSID1, the server uses the old certificate and key, * and when the client uses the SSID2, the radius server uses the new certificate and key
Is this possible ?
Yes. Others use multiple certs && multiple EAP modules.
The result so far is that with such setup my wireless clients can't connect at all when they check the certificate, but can connect when they don't (no matter what setup is done on the client side). Of course I've installed the 2 certificates on the client to check this.
A quick look at FR debug logs confirms, as far as I can read them, that the client is refusing the radius server certificate.
I don't think that's in the debug log.
Is there a client tool to check which certificate is used by FR ?
wireshark might do it.
Have I missed something in the setup ?
Did you test each piece in isolation before putting it all together?
I've tried to turn on Windows EAP log, but they aren't very easy to read as far as TLS/TTLS/PEAP authentication is concerned !
They're horrible... Alan DeKok.