Multiple radius servers with the same CA

Matt Harlum matt at cactuar.net
Wed Mar 24 11:34:55 CET 2010


Hi,

is it possible that make server generated a new CA etc?

I'd recommend making a copy of the current CA cert on each machine and doing a diff

Regards,
Matt Harlum

On 24/03/2010, at 9:21 PM, sphaero wrote:

> 
> Hi All,
> 
> I've been searching the archives for a while on some guidance into setting
> up multiple radius servers using the same CA for use with EAP/TTLS.
> 
> I've generated a CA which is distributed to all the clients (i.e. SecureW2).
> I've got 2 radius servers for redundancy. All NAS devices have two radius
> server configured.
> 
> I'm using the scripts from freeradius 2.0 to generate the certificates
> according to instructions in the README. I've setup the ca.cnf and
> server.cnf (not using eap/tls so I skip clients.cf).
> 
> On the primary radius server I generated the certificates by issuing:
> make
> 
> Now on the second radius server I just copy the following files:
> /certs/ca.pem
> /certs/ca.key
> /certs/ca.der
> /certs/*.cnf
> /certs/Makefile
> /certs/README
> /certs/xpextensions
> 
> and issue: 
> make server
> make dh
> 
> This seems to have worked. But is this really correct? 
> I'm renewing one radius server and did this procedure again but now I'm
> receiving "chain could not be validated" errors in SecureW2. Radius log
> seems fine however EAP communication is not finished which corresponds with
> the client stopping communication since it can't validate the certificate.
> I'm really getting lost in the SSL jungle? I would really like to understand
> how this is done right, since it is about security.
> 
> Rg,
> 
> Arnaud
> -- 
> View this message in context: http://old.nabble.com/Multiple-radius-servers-with-the-same-CA-tp28013061p28013061.html
> Sent from the FreeRadius - User mailing list archive at Nabble.com.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list