EAP TLS against multiple certificates?

David Hartburn D.J.Hartburn at kent.ac.uk
Wed May 3 15:36:07 CEST 2017


I failed to get anywhere with this problem and it looks like a lot of 
our laptops are broken as we are running a mix of SHA1 and SHA256 client 
certificates all of a sudden.

I remove the comments from the config snipped I posted to make it more 
readable for the list, but they do exist in my original configuration.

		#  In general, you should use self-signed
		#  certificates for 802.1x (EAP) authentication.
		#  In that case, this CA file should contain
		#  *one* CA certificate.

To me this suggests it is not possible to have more than one 
certificate. Is this correct?

If so, any suggestions on how we can solve this issue or is it a case of 
finding every SHA1 client and forcing them to update their cert?

The ideal solution would be to be able to support a SHA1 chain and a 
SHA256 chain as a migratory step, dropping the SHA1 in the near future. 
The only other option was to have a 'change day' when both the servers 
and clients all changed. It looks like that change day may have 
unexpectedly become today!


On 31/03/17 12:49, Alan DeKok wrote:
> On Mar 31, 2017, at 7:02 AM, David Hartburn <D.J.Hartburn at kent.ac.uk> wrote:
>> Is it possible to check EAP-TLS against multiple certificate chains, or bundle two chains together into the same pem file?
>   See the comments for "ca_file" in the default build.  The question is answered there.
>> In terms of config, in mods-enabled/eap, I have
>> 	tls-config loanlaptops {
>> 		private_key_file = ${confdir}/certs/loan_laptop_server.pem
>> 		certificate_file = ${confdir}/certs/loan_laptop_server.pem
>> 		ca_file = ${confdir}/certs/unikentrootCAchain.pem
>   Removing all of the comments makes the configuration smaller, it can also make it harder to understand.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list