Multiple radius servers with the same CA

[John Dennis]

On 03/24/2010 06:21 AM, sphaero wrote:
>
> Hi All,
>
> I've been searching the archives for a while on some guidance into setting
> up multiple radius servers using the same CA for use with EAP/TTLS.
>
> I've generated a CA which is distributed to all the clients (i.e. SecureW2).
> I've got 2 radius servers for redundancy. All NAS devices have two radius
> server configured.
>
> I'm using the scripts from freeradius 2.0 to generate the certificates
> according to instructions in the README. I've setup the ca.cnf and
> server.cnf (not using eap/tls so I skip clients.cf).
>
> On the primary radius server I generated the certificates by issuing:
> make
>
> Now on the second radius server I just copy the following files:
> /certs/ca.pem
> /certs/ca.key
> /certs/ca.der
> /certs/*.cnf
> /certs/Makefile
> /certs/README
> /certs/xpextensions
>
> and issue:
> make server
> make dh
>
> This seems to have worked. But is this really correct?
> I'm renewing one radius server and did this procedure again but now I'm
> receiving "chain could not be validated" errors in SecureW2. Radius log
> seems fine however EAP communication is not finished which corresponds with
> the client stopping communication since it can't validate the certificate.
> I'm really getting lost in the SSL jungle? I would really like to understand
> how this is done right, since it is about security.

It would help to read the Makefile and understand it. Your goal is to 
produce multiple certificates, each with a unique subject (e.g. the host 
name of the radius server) and have it signed by the ca. There is no 
need to do this process on each machine, the creation of certs can be 
done on any machine.

Find the part of the Makefile which says this:

"Create a new server certificate, signed by the above CA."

If you make the target server.pem target (e.g. make server) it will 
cause the Makefile to execute a series of commands to produce the 
certificate starting with a CSR (Certificate Signing Request). Note, the 
server.csr target depends on server.cnf so make sure you edit this for 
each server whose certificate you want to generate (see the req(1) man 
page to understand how the certificate subject, e.g. DN, may be specified).

But also note in the Makefile that server.crt is dependent on ca.key and 
ca.pem, which themselves are dependent on ca.cnf. If when you copy the 
files the ca.cnf file ends up with a newer timestamp than ca.key or 
ca.pem then a new ca will be created, you don't want that. You can 
either fix the timestamps using touch or just make all the certs on one 
machine so you don't have to worry about the ca being recreated.


After you've created your certificates on the one machine (don't foget 
to rename the server.{crt,p12,pem} files) dump them out using

openssl x509 -in XXX.pem -inform PEM -text

and verify each has the certificate subject you expected.

Then verify the each cert with:

openssl verify -CAfile ca.pem XXX.pem

If that succeeds you'll know each is successfully signed by the same ca 
and you can distribute that ca to your clients. Then copy your server 
certs to your RADIUS hosts, don't forget to edit the config so 
certificate names match how you named your certs (it will no longer be 
server.{crt,p12,pem}.
-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/