Hi Vladimir,
In hope that this will work like it works with modules with different types (chap -> mschap -> pap). If client does not accept server certificate from the first module, then try to send certificate from the second module. But eap module is not simple and is called multiply times (Challenge response) to setup eap session, thus this approach does not work. this approach doesn't work since the EAP process will fail as soon as the client sees a certificate signed by an unknown CA.
Your problem is well known though. It occurs when (for some reason) a CA certificate needs to be changed or becomes invalid. For security reasons you normally trust only one CA on a client and only accept server certs signed by that particular CA. However, there's a method that works for tunneled EAP methods like PEAP or EAP-TTLS. You can "signal" what CA a client expects by using different outer (anonymous) identities. For example you could use "anonymous@...." for clients that trust the old CA and "anonymous2@..." for those that trust the new CA. You can then define the two modules "eap" an "eap2" and do something like if ( &User-Name == "anonymous@your-realm" ) { eap { ok = return } } else { eap2 { ok = return } } (you should probably not use "else" but rather use two "if" statements; but you get what I mean) in the authorize section of the site for which you need to offer server certs signed by different CAs. Kind regards, Christian -- Dipl.-Math. Christian Strauf Clausthal Univ. of Technology E-Mail: strauf@rz.tu-clausthal.de Rechenzentrum Web: www.rz.tu-clausthal.de Erzstraße 18 Tel.: +49-5323-72-2086 Fax: -992086 D-38678 Clausthal-Zellerfeld