hi, in the UK I deal with various questions regarding FreeRADIUS configuration and abilities - occasionally a question pops up that I'm very unfamilar with or havent got a direct clue to answer.. today one of those reemerged and as this might affect anyone at any point I was looking for best practice or a methodology.
Say you have a nice FR setup...all is going well and everything is fine but then you have an issue with the certificate - eg its going to expire , or its been revoked...then you are going to have to have a new certificate for your FR server - but your clients will have the old certificate and CA - and your new clients will have the new cert and CA..and you might not be able to sort out all your clients for some time - hopefully before the final day of cert validity! anyway, in summary, your RADIUS server has to answer to the old clients and the new clients. What is the best practice way or configuration to ensure that your RADIUS server can be both people...old servercert+old_CA and new servertcert+new_CA so that it can deal with both types of clients. I'm thinking 2 virtual servers....one with old eap.conf and the other with neweap.conf with each virtual server ready to deal with each type of client - but then how to direct the incoming EAP to the right way. I cant see the normal fall-through group working --because the client has to create the EAP tunnel... or would a normal fallthrough system work... we send it to eap1 and if it fails send it to eap2 (which should be okay if client config okay!) ? I can envisage fronting it with a.n.other RADIUS solution which will proxy the request through a remote server list UNTIL it doesnt get a REJECT back.. but i dont want additional software in the mix thanks alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
