Certificate Compatibility

Ben Wiechman wiechman.lists at gmail.com
Tue Mar 29 20:03:26 CEST 2011

The SM is bucky. To deploy a new certificate you need to delete at
least one of the existing certificates and reboot the SM. That slot
should now be empty and should say "Certificate X not present in the
system." At this point you can import your new certificate.
Some SMs however are cranky about actually deleting the certificates.
After a reboot the deleted certificate is still present. CNUT seems to
work much better when deploying the certificates for some reason. I
haven't had it fail yet. Don't ask me. See the Tools menu.

Alternatively you could use the aaasvr* certificates included with the
firmware. Every SM should have that cacert_aaasvr.pem certificate
pre-loaded. I'd recommend generating your own certificates however.

You need to generate a CA certificate and use that to sign your server
certificate. Configure both of these appropriately in your eap.conf
file. If the AP doesn't have a time source it starts its clock at
1/1/2001, so you may want to generate both certificates with a valid
start date before 1/1/2001. If your AP believes the time is prior to
the issuing date in your certificates authentication will fail and the
SM will be locked out for 15 minutes...

You need to install a copy of that CA certificate on every SM. You do
not need to generate a different certificate for each device. See the
limitations on self signed certificates and third party certificates
in the release notes. In general you can just use the procedures
outlined for EAP in the wiki/deployingradius.org to generate your CA
certificate, with the caveat that those certificates will be valid
from the time you generate them forward.

Logging is basic and essentially worthless in the AP and SM. The
underlying RADIUS implementation doesn't provide visibility or better
logging, which Moto says they are hoping to rectify at some point, but
that doesn't help today.

Oh, and if you're using vlans you'll want to wait to deploy the
forthcoming patch in production. There is a memory leak in 11.0 that
will cause the SM to crash when it has to filter downstream broadcast


On Tue, Mar 29, 2011 at 12:38 PM, Jim Rice <jmrice6640 at yahoo.com> wrote:
> I believe that installing a certificate on the SM removes both of the defaults.
> Does this mean then that one slot is for the CA cert, and the other is for a client cert?
> Do we need to generate and install client certificates for every SM?
> I thought the AP was the Radius Client in this case, and was handling the TLS handshake?  Or does the SM provide its certificates to the AP along with the "user identity" and MAC address when it connects?
> (Just when I thought I was beginning to understand all of this...)
> --- On Tue, 3/29/11, Ben Wiechman <wiechman.lists at gmail.com> wrote:
>> You don't have the right CA
>> certificate installed on the SM. Check the
>> certificates listed under the Security tab in the SM and
>> make sure
>> that YOUR CA cert is shown in one of the two available
>> slots.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list