Multiple EAP-TLS modules with different certificates
Alan DeKok
aland at deployingradius.com
Wed Mar 31 21:30:50 CEST 2010
Thibault Le Meur wrote:
> In order to avoid a complete breakout when I change the certificate of
> my radius server (because a manual operation is required on the
> supplicant side to select the new CA), I'd like to configure FR so that:
> * when the WiFi client connects to the SSID1, the server uses the old
> certificate and key,
> * and when the client uses the SSID2, the radius server uses the new
> certificate and key
>
> Is this possible ?
Yes. Others use multiple certs && multiple EAP modules.
> The result so far is that with such setup my wireless clients can't
> connect at all when they check the certificate, but can connect when
> they don't (no matter what setup is done on the client side). Of course
> I've installed the 2 certificates on the client to check this.
>
> A quick look at FR debug logs confirms, as far as I can read them, that
> the client is refusing the radius server certificate.
I don't think that's in the debug log.
> Is there a client tool to check which certificate is used by FR ?
wireshark might do it.
> Have I missed something in the setup ?
Did you test each piece in isolation before putting it all together?
> I've tried to turn on Windows EAP log, but they aren't very easy to read
> as far as TLS/TTLS/PEAP authentication is concerned !
They're horrible...
Alan DeKok.
More information about the Freeradius-Users
mailing list