change of CA

Alan DeKok aland at
Wed Nov 9 09:46:48 UTC 2022

On Nov 9, 2022, at 5:59 AM, Burn Zero <burnzerog at> wrote:
> Currently we have laptops(windows 10) which authenticate via
> FreeRADIUS using EAP-TLS. Now, I am going to change the CA and the
> laptops will get the new cert from the new CA(which will be used for
> authentication) and the old cert will be deleted. I have prepared to
> accept both old and new CA certs in the FreeRADIUS.

  That should be fine.

> We also have cache enabled in the eap module - Will this affect the
> connectivity of laptops since the cached attributes contain the old
> cert details from the old CA?

  If the old CA is still valid on FreeRADIUS, no.

  If the old CA is still used on the clients after you delete it from FreeRADIUS, yes.

  The issue here isn't FreeRADIUS or any EAP cache.  The issue is the clients configured to use the old CA.  Once all clients are configured to use the new CA, you can delete the old one from FreeRADIUS.  And nothing is affected.

  And yes, changing CAs / WiFI configuration will cause connections to be dropped, and then re-established using the new credentials.  In which case the new credentials aren't using the old cache.

  Alan DeKok.

More information about the Freeradius-Users mailing list