FreeRadius with mixed CAs
Thomas Bilk
Thomas.Bilk at deutschebahn.com
Mon Jul 4 14:10:12 UTC 2022
Hello.
Is it possible to run FreeRadius (version 3.0.13) with two different CAs? So that I have a server certificate from one CA and the client certificates come from a different CA?
Our current setup in /etc/raddb/mods-enabled/eap looks a bit like that:
...
tls-config tls-common {
certificate_file = ${certdir}/server.pem # certificate only from CA ONE
ca_file = ${cadir}/ca.pem # complete chain from CA TWO
auto_chain = no
ca_path = ${cadir} # contains all certs/complete chains from both CAs
}
...
And this is the error that I see in the logs:
Tue Jun 14 11:42:02 2022 : ERROR: (9) eap_tls: ERROR: TLS Alert read:fatal:unknown CA
Tue Jun 14 11:42:02 2022 : ERROR: (9) eap_tls: ERROR: TLS_accept: Failed in error
Tue Jun 14 11:42:02 2022 : ERROR: (9) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
Tue Jun 14 11:42:02 2022 : Auth: (9) Login incorrect (eap_tls: TLS Alert read:fatal:unknown CA): [USER/<via Auth-Type = eap>] (from client ap port 1 cli 1A-5E-69-E4-A5-21)
Once clients and the server got their certificates from the same CA everything worked fine.
So is it even possible to have different CAs for server and client? If yes what would I have to do to accomplish this task?
Thank you in advance.
Kind regards.
Thomas Bilk
DB Systel GmbH
Weilburger Str. 26-30, 60326 Frankfurt a. Main
________________________________
Pflichtangaben anzeigen<http://www.deutschebahn.com/pflichtangaben/20220701>
Nähere Informationen zur Datenverarbeitung im DB-Konzern finden Sie hier: http://www.deutschebahn.com/de/konzern/datenschutz
More information about the Freeradius-Users
mailing list