Multiple radius servers with the same CA
Matt Harlum
matt at cactuar.net
Wed Mar 24 11:34:55 CET 2010
Hi,
is it possible that make server generated a new CA etc?
I'd recommend making a copy of the current CA cert on each machine and doing a diff
Regards,
Matt Harlum
On 24/03/2010, at 9:21 PM, sphaero wrote:
>
> Hi All,
>
> I've been searching the archives for a while on some guidance into setting
> up multiple radius servers using the same CA for use with EAP/TTLS.
>
> I've generated a CA which is distributed to all the clients (i.e. SecureW2).
> I've got 2 radius servers for redundancy. All NAS devices have two radius
> server configured.
>
> I'm using the scripts from freeradius 2.0 to generate the certificates
> according to instructions in the README. I've setup the ca.cnf and
> server.cnf (not using eap/tls so I skip clients.cf).
>
> On the primary radius server I generated the certificates by issuing:
> make
>
> Now on the second radius server I just copy the following files:
> /certs/ca.pem
> /certs/ca.key
> /certs/ca.der
> /certs/*.cnf
> /certs/Makefile
> /certs/README
> /certs/xpextensions
>
> and issue:
> make server
> make dh
>
> This seems to have worked. But is this really correct?
> I'm renewing one radius server and did this procedure again but now I'm
> receiving "chain could not be validated" errors in SecureW2. Radius log
> seems fine however EAP communication is not finished which corresponds with
> the client stopping communication since it can't validate the certificate.
> I'm really getting lost in the SSL jungle? I would really like to understand
> how this is done right, since it is about security.
>
> Rg,
>
> Arnaud
> --
> View this message in context: http://old.nabble.com/Multiple-radius-servers-with-the-same-CA-tp28013061p28013061.html
> Sent from the FreeRadius - User mailing list archive at Nabble.com.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list