Seemingly obvious question

Alan DeKok aland at deployingradius.com
Mon Nov 29 01:18:17 CET 2021 

On Nov 28, 2021, at 6:58 PM, Gregory Sloop <gregs at sloop.net> wrote:
> I'm running Ubuntu 20.04's packaged FR - and been happy with Enterprise-WPA using EAP-TLS on a single server - authenticating wireless clients. 

  It might be good to upgrade.  But if it works...

> But we're putting more and more machines on E-WPA, and so the FR server becomes a critical resource.
> The obvious answer is to have two/multiple servers and that's a option in Unifi. (And most/all other Wifi AP's.)

  Yes,

> The question is: Since I'm just using certificates is there anything different that I really need to do, other than setting up the new server, essentially, identically to the first one?

  Nope.

  The certificates describe functionality (WiFi auth).  They don't need to describe a particular instance of a running process.  You can put unique certificates on each machine, but it's not necessary.

> If I revoke certificates I understand I'll need to complete that process on both machines - essentially manually keeping them in sync.

  Yes.

> Do I have that right?

  Yes.

  You should use something like "git" to track the configurations.  Keep a git copy somewhere on another non-RADIUS server.  Then on each RADIUS server, get copies of the configuration from there.

  When you make changes to one server, "git commit" and "git push".  Then go to the other server, "git pull".  Presto!  The configurations are in sync.

> (In this setup, both servers will use the same key and certificate - which means I can't revoke one and leave the other running, but that (revoking a server) really doesn't work anyway, since the clients don't look up a CRL somewhere reliable anyway. So, if I lose control of one of the servers, I'm screwed and will have to rebuild the entire PKI framework again, but that's going to happen even if I use different certs/keys for both servers. ...provided I conceptually understand things correctly.)

  Just put all of the configuration (including PKI) into a "git" repository.  Then, save that off-box.  If you lose a machine, install a clean Ubuntu image, and then "git clone" the configuration.

  It's really that easy.

  Alan DeKok.

More information about the Freeradius-Users mailing list