EAP TLS against multiple certificates?

Alan DeKok aland at deployingradius.com
Wed May 3 16:41:53 CEST 2017

On May 3, 2017, at 10:34 AM, David Hartburn <D.J.Hartburn at kent.ac.uk> wrote:
> The clients had SHA1 certs and the FreeRADIUS server has a SHA1 chain.
> Clients have just started to upgrade to SHA256 certificates which fail when authing against the SHA1 chain on the server.

  Which makes sense.  The clients need to be able to validate the CA and server certs.

> I have generated on our dev server a SHA256 chain, which will allow those clients which have updated to authenticate, but it will lock out those which still have SHA1.

  No, it won't.

> If it is possible to use both types of chain, how do I go about that? It does not look like you can have two ca_file entries in the eap tls-config section. Is it possible to cat the two server files into a single file pointed to by ca_file and have it work that way?

  You can just put all of the certificate chains into one file.

  Alan DeKok.

More information about the Freeradius-Users mailing list