EAP-TLS and client certs issued with different CA's

Bruncko Michal Michal.Bruncko at zssos.sk
Sun Sep 14 15:18:41 CEST 2014

Thanks Alan for very clear responses.

2014-09-13 17:58 odosielateľ napísal:
> Bruncko Michal wrote:
>> I am successfully using Freeradius in our Wifi environment using 
>> in single-CA environment - i.e same CA was used to sign both server 
>> and
>> clients SSL certificates. Now I have started to use new certificate 
>> PKI
>> with new CA hierarchy - RootCA -> SubCA -> Wifi certificates, but I
>> wanted to keep existing legacy CA in place. This means:
>> - that I wanted to use client certificates issued by two different 
>> CA's
>> for EAP-TLS authentication
>> - and as I mentioned before, the new CA is a subCA of new rootCA.
>> - and server certificate is signed still using legacy CA
>   You will need to configure two different "eap" modules.  One for the
> first CA, and the another for the second CA.
>   Then in the "authorize" section, look at the User-Name.  For one set
> of users, run the "eap_ca1" module.  For another set of users, run the
> "eap_ca2" module.
>   You will need to list "eap_ca1" and "eap_ca2" in the "authenticate"
> section, too.
>> Questions:
>> - what I am doing wrong? Miss I anything in order to get working 
>> authentication over both legacy CA and new CA?
>   The EAP module handles only one CA.  If you need two CAs, you need 
> two
> EAP modules.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list