EAP-TLS and client certs issued with different CA's

Alan DeKok aland at deployingradius.com
Sat Sep 13 17:58:44 CEST 2014

Bruncko Michal wrote:
> I am successfully using Freeradius in our Wifi environment using EAP-TLS
> in single-CA environment - i.e same CA was used to sign both server and
> clients SSL certificates. Now I have started to use new certificate PKI
> with new CA hierarchy - RootCA -> SubCA -> Wifi certificates, but I
> wanted to keep existing legacy CA in place. This means:
> - that I wanted to use client certificates issued by two different CA's
> for EAP-TLS authentication
> - and as I mentioned before, the new CA is a subCA of new rootCA.
> - and server certificate is signed still using legacy CA

  You will need to configure two different "eap" modules.  One for the
first CA, and the another for the second CA.

  Then in the "authorize" section, look at the User-Name.  For one set
of users, run the "eap_ca1" module.  For another set of users, run the
"eap_ca2" module.

  You will need to list "eap_ca1" and "eap_ca2" in the "authenticate"
section, too.

> Questions:
> - what I am doing wrong? Miss I anything in order to get working EAP-TLS
> authentication over both legacy CA and new CA?

  The EAP module handles only one CA.  If you need two CAs, you need two
EAP modules.

  Alan DeKok.

More information about the Freeradius-Users mailing list