Free Radius 2.1.10 ubuntu 10.10 Multiple RootCA

Kris Armstrong kris.armstrong at
Tue Oct 25 17:07:29 CEST 2011

I am trying to configure free radius with multiple ROOT CA's.  This is not a products environment it is purely a test environment.  We need the ability to test out products against freeradius and other radius servers. using multiple different certificate sizes and ROOT CA's.

I currently have the following in my EAP.conf file.  Based on the way I read the eap.conf file this would be the correct way of doing it.  Here is what happens.  I can authenticate against the first ROOT CA no matter which one it is as long as its the first in the list. its like all other CA's are ignored.  In the below as you can see I have commented out the first few ROOT CAs and the 1024ca.pem is the current first in the list.  I am able to authenticate against this one but none past.  if I comment out 1024 then I can authenticate against the next.    Any help would be greatly appreciated.

I had read on another forum that in order to support multiple ROOT CAs you just put them all in the same file. I tried this as well with just the certs as well as with the certs and the private keys neither seemed to work.  I believe that was on a Radius 1.x server though so maybe there is a change in the 2.x?  Any thoughts or ideas that I might be missing would be greatly appreciated thanks in advance.

Freeradius 2.1.10
Ubuntu 10.04

                #certdir = ${confdir}/certs
                        #cadir = ${confdir}/certs

                        #certdir = /etc/freeradius/certs20080204
                        #cadir = /etc/freeradius/certs20080204
                        certdir = /etc/freeradius/Certs11-20-2011/client/pem
                        cadir = /etc/freeradius/Certs11-20-2011/CA/pem

                        #private_key_password = whatever
                        #private_key_file = ${certdir}/server.pem

                        private_key_password = passphrase
                        #private_key_file = ${certdir}/1010Client.pem
                        private_key_file = ${certdir}/1024_1024client.pem

                        #  If Private key & Certificate are located in
                        #  the same file, then private_key_file &
                        #  certificate_file must contain the same file
                        #  name.
                        #  If CA_file (below) is not used, then the
                        #  certificate_file below MUST include not
                        #  only the server certificate, but ALSO all
                        #  of the CA certificates used to sign the
                        #  server certificate.
                        #certificate_file = ${certdir}/server.pem

                        #certificate_file = ${certdir}/1010Client.pem
                        certificate_file = ${certdir}/1024_1024client.pem

                        #  Trusted Root CA list
                        #  ALL of the CA's in this list will be trusted
                        #  to issue client certificates for authentication.
                        #  In general, you should use self-signed
                        #  certificates for 802.1x (EAP) authentication.
                        #  In that case, this CA file should contain
                        #  *one* CA certificate.
                        #  This parameter is used only for EAP-TLS,
                        #  when you issue client certificates.  If you do
                        #  not use client certificates, and you do not want
                        #  to permit EAP-TLS authentication, then delete
                        #  this configuration item.
                        #CA_file = ${cadir}/ca.pem

                        #CA_file = ${cadir}/PV_10_CA.pem
                        #CA_file = ${cadir}/CA/pem/1024ca.pem
                        #CA_file = ${cadir}/512ca.pem
                        #CA_file = ${cadir}/768ca.pem
                        CA_file = ${cadir}/1024ca.pem
                        CA_file = ${cadir}/1280ca.pem
                        CA_file = ${cadir}/1536ca.pem
                        CA_file = ${cadir}/1792ca.pem
                        CA_file = ${cadir}/2048ca.pem
                        CA_file = ${cadir}/4096ca.pem


Kris Armstrong

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list