Help in configuring freeradius to support two server certificates in EAP-TLS

Alan DeKok aland at
Thu Nov 11 18:20:40 CET 2021

On Nov 11, 2021, at 9:13 AM, Hello Users <hellousers1987 at> wrote:
> I am new to freeradius. I need to configure the radius server to support
> clients authenticating using two different certificate authorities.Already
> existing server certificate is about to expire and the requirement is to
> support both new and old certificates during the transition period.

  That's fairly normal.  The simple answer here is that you put *both* CAs into the clients.  Then it doesn't matter which server cert is used.

  The server just uses cert1 until you're sure that all clients have both CAs.  Then, swap the server to using cert2.

  Then, delete CA1 from all of the clients.

  It's *much* harder to dynamically switch out server certs based on ??? some magic criteria.

> The Freeradius version used is 3.0.20 and testing done in raspberry pi 3.
> I found a similar query over
> and tried to
> configure it as mentioned.
> authenticate {
>   ...
>   eap1
>   eap2
> }

  Except all that does is try to run BOTH modules.  You can't do TLS negotiation / decryption / whatever twice.  It's just not going to work

> But in the authorize {} section, I could configure either eap1 or eap2. If
> both are configured I am getting errors as below while authenticating.
> (1) Found Auth-Type = eap1
> (1) Found Auth-Type = eap2
> "ERROR: Warning:  Found 2 auth-types on request for user 'hellouser'"

  Exactly.  The server prevents you from doing something terrible.

> Attaching the full log for reference.
> So my doubts are
> 1) Do we need to mention explicitly in the user file which eap method to be
> used as below ? Even I tried it, but it's not working. Can anyone help me
> with this.
> DEFAULT Called-Station-ID = "00112233445566:SSID1", Auth-Type := eap1
> DEFAULT Called-Station-ID = "00112233445566:SSID2", Auth-Type := eap2

  Something like that might work, but you'd need to (a) not list any EAP modules in the "authorize" section, and (b) ensure that *all* requests get assigned the correct EAP Auth-Type

> 2) Also in my case, I won't be able to configure stations IDs as above.
> Is there any way to configure radius server like it should try with eap1
> first and if it fails then try with eap2.

  That's absolutely impossible.  TLS doesn't work that way.

  Alan DeKok.

More information about the Freeradius-Users mailing list