On Nov 1, 2018, at 9:52 AM, work vlpl <thework.vlpl@gmail.com> wrote:
Yes, I know about it. But in my case I can not issue new server certificate from the same CA. That CA was bought by other CA, and now new certificates are signed with different root certificate.
Ugh. That's not nice.
This cause some problems. Clients that verify server certificate using CA certificate that stored in radius configuration, now has broken trust chain.
The problem is that TLS doesn't really allow for what you want. When EAP-TLS (or PEAP or TTLS) starts up, there's no way for the client to signal which CA root it wants. Instead, what happens is this (roughly speaking) client: let's do TLS! server: Sure, here's my CA and server cert! client: Uh... not what I wanted, goodbye! The only way to signal which CA you want is by some other method. i.e. changing the outer identities, as Christian suggested. Or, you could have a list of which systems (i.e. MAC address) use which certificates. And then do: if (system is in group 1) { eap with old Ca cert } else { eap with new CA cert } There aren't really many other options. TLS 1.3 is supposed to fix that, I think, but it's a long way from wide-spread use. Alan DeKok.