Can I use two or more freeradius server certificates for the same virtual site?

Christian Strauf strauf at rz.tu-clausthal.de
Thu Nov 1 14:12:09 CET 2018


Hi Vladimir,

> In hope that this will work like it works with modules with different
> types (chap -> mschap -> pap). If client does not accept server
> certificate from the first module, then try to send certificate from
> the second module. But eap module is not simple and is called multiply
> times (Challenge response) to setup eap session, thus this approach
> does not work.
this approach doesn't work since the EAP process will fail as soon as the client sees a certificate signed by an unknown CA.

Your problem is well known though. It occurs when (for some reason) a CA certificate needs to be changed or becomes invalid. For security reasons you normally trust only one CA on a client and only accept server certs signed by that particular CA. However, there's a method that works for tunneled EAP methods like PEAP or EAP-TTLS. You can "signal" what CA a client expects by using different outer (anonymous) identities. For example you could use "anonymous at ...." for clients that trust the old CA and "anonymous2 at ..." for those that trust the new CA. You can then define the two modules "eap" an "eap2" and do something like

	if ( &User-Name == "anonymous at your-realm" ) {
		eap {
			ok = return
		}
	} else {
		eap2 {
			ok = return
		}
	}

(you should probably not use "else" but rather use two "if" statements; but you get what I mean) in the authorize section of the site for which you need to offer server certs signed by different CAs.

Kind regards,
Christian
-- 
Dipl.-Math. Christian Strauf
Clausthal Univ. of Technology   E-Mail: strauf at rz.tu-clausthal.de
Rechenzentrum                   Web:    www.rz.tu-clausthal.de
Erzstraße 18                    Tel.:   +49-5323-72-2086 Fax: -992086
D-38678 Clausthal-Zellerfeld

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5279 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20181101/9c28d14b/attachment.bin>


More information about the Freeradius-Users mailing list