EAP TLS against multiple certificates?

David Hartburn D.J.Hartburn at kent.ac.uk
Wed May 3 16:34:04 CEST 2017


The clients had SHA1 certs and the FreeRADIUS server has a SHA1 chain.

Clients have just started to upgrade to SHA256 certificates which fail 
when authing against the SHA1 chain on the server.

I have generated on our dev server a SHA256 chain, which will allow 
those clients which have updated to authenticate, but it will lock out 
those which still have SHA1.

If it is possible to use both types of chain, how do I go about that? It 
does not look like you can have two ca_file entries in the eap 
tls-config section. Is it possible to cat the two server files into a 
single file pointed to by ca_file and have it work that way?


On 03/05/17 15:14, Alan DeKok wrote:
> On May 3, 2017, at 9:36 AM, David Hartburn <D.J.Hartburn at kent.ac.uk> wrote:
>> I remove the comments from the config snipped I posted to make it more readable for the list, but they do exist in my original configuration.
>> 		#  In general, you should use self-signed
>> 		#  certificates for 802.1x (EAP) authentication.
>> 		#  In that case, this CA file should contain
>> 		#  *one* CA certificate.
>> To me this suggests it is not possible to have more than one certificate. Is this correct?
>   No.  It suggests that in some cases you want to use one CA cert.  In other cases, you can use multiple CA certs.
>> If so, any suggestions on how we can solve this issue or is it a case of finding every SHA1 client and forcing them to update their cert?
>   What cert is where?  Do you mean the clients are using certs with SHA1?  Or the CA cert?  Please be specific.
>   And either way, the only way to upgrade the client (client cert or CA cert) is to put the new certs onto the client.
>> The ideal solution would be to be able to support a SHA1 chain and a SHA256 chain as a migratory step, dropping the SHA1 in the near future. The only other option was to have a 'change day' when both the servers and clients all changed. It looks like that change day may have unexpectedly become today!
>   You can use multiple CA certs.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list