FreeRadius with mixed CAs

[Alan DeKok]

On Jul 4, 2022, at 10:10 AM, Thomas Bilk <Thomas.Bilk at deutschebahn.com> wrote:
> Is it possible to run FreeRadius (version 3.0.13) with two different CAs? So that I have a server certificate from one CA and the client certificates come from a different CA?

  Yes.

  But why 3.0.13?  Why not 3.2.0?  You shouldn't be running a version which is years old.  Up to date packages are available at http://packages.networkradius.com

> Our current setup in /etc/raddb/mods-enabled/eap looks a bit like that:
> 
> ...
> tls-config tls-common {
>  certificate_file = ${certdir}/server.pem  # certificate only from CA ONE
>  ca_file = ${cadir}/ca.pem                 # complete chain from CA TWO
>  auto_chain = no
>  ca_path = ${cadir}                        # contains all certs/complete chains from both CAs
> }

  You should use ca_path, and not ca_file.  You shouldn't use both.

> And this is the error that I see in the logs:
> 
> Tue Jun 14 11:42:02 2022 : ERROR: (9) eap_tls: ERROR: TLS Alert read:fatal:unknown CA

  The client doesn't like the CA used to sign the server certs.

> Tue Jun 14 11:42:02 2022 : ERROR: (9) eap_tls: ERROR: TLS_accept: Failed in error
> Tue Jun 14 11:42:02 2022 : ERROR: (9) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
> Tue Jun 14 11:42:02 2022 : Auth: (9) Login incorrect (eap_tls: TLS Alert read:fatal:unknown CA): [USER/<via Auth-Type = eap>] (from client ap port 1 cli 1A-5E-69-E4-A5-21)
> 
> Once clients and the server got their certificates from the same CA everything worked fine.

  Or, you configure both CAs on the client.  This is how certificate authentication works.  You can't just configure CA2, and then expect the client to accept an unknown server certificate from CA1.

> So is it even possible to have different CAs for server and client? If yes what would I have to do to accomplish this task?

  Yes.  Configure both CAs on the client.

  Alan DeKok.