FreeRADIUS with 2 certs/CAs etc

Alan DeKok aland at
Wed Sep 30 22:01:00 CEST 2009

Alan Buxey wrote:
> anyway, in summary, your RADIUS server has to answer to the old clients
> and the new clients. What is the best practice way or configuration to ensure
> that your RADIUS server can be both people...old servercert+old_CA and
> new servertcert+new_CA so that it can deal with both types of clients.

  Stick your fingers in your ears and go "la la la la la".

  It's a big problem with certificates and PKI.

  The best solution is:

1) CA cert, 4K bit key, many many years of validity
2) server cert, 2K bit key, a smaller validity period
3) give the CA cert to clients, and not the server cert
4) LONG before the CA expires, hand them a new CA that is still valid.
5) when everyone has the new CA, switch to using it.
6) anyone still using the old CA is screwed.  Tough.

> I'm thinking 2 virtual with old eap.conf and the other
> with neweap.conf with each virtual server ready to deal with each type of client
> - but then how to direct the incoming EAP to the right way. 

  You can't.  The SSL session setup is invisible to EAP.  Even if it
wasn't, the SSL session setup depends on the certs... and you can't
switch certs once you've set up a session based on them.

  Alan DeKok.

More information about the Freeradius-Users mailing list