The SM is bucky. To deploy a new certificate you need to delete at least one of the existing certificates and reboot the SM. That slot should now be empty and should say "Certificate X not present in the system." At this point you can import your new certificate. Some SMs however are cranky about actually deleting the certificates. After a reboot the deleted certificate is still present. CNUT seems to work much better when deploying the certificates for some reason. I haven't had it fail yet. Don't ask me. See the Tools menu.
Alternatively you could use the aaasvr* certificates included with the firmware. Every SM should have that cacert_aaasvr.pem certificate pre-loaded. I'd recommend generating your own certificates however. You need to generate a CA certificate and use that to sign your server certificate. Configure both of these appropriately in your eap.conf file. If the AP doesn't have a time source it starts its clock at 1/1/2001, so you may want to generate both certificates with a valid start date before 1/1/2001. If your AP believes the time is prior to the issuing date in your certificates authentication will fail and the SM will be locked out for 15 minutes... You need to install a copy of that CA certificate on every SM. You do not need to generate a different certificate for each device. See the limitations on self signed certificates and third party certificates in the release notes. In general you can just use the procedures outlined for EAP in the wiki/deployingradius.org to generate your CA certificate, with the caveat that those certificates will be valid from the time you generate them forward. Logging is basic and essentially worthless in the AP and SM. The underlying RADIUS implementation doesn't provide visibility or better logging, which Moto says they are hoping to rectify at some point, but that doesn't help today. Oh, and if you're using vlans you'll want to wait to deploy the forthcoming patch in production. There is a memory leak in 11.0 that will cause the SM to crash when it has to filter downstream broadcast traffic. Ben On Tue, Mar 29, 2011 at 12:38 PM, Jim Rice <[email protected]> wrote: > I believe that installing a certificate on the SM removes both of the > defaults. > > Does this mean then that one slot is for the CA cert, and the other is for a > client cert? > > Do we need to generate and install client certificates for every SM? > > I thought the AP was the Radius Client in this case, and was handling the TLS > handshake? Or does the SM provide its certificates to the AP along with the > "user identity" and MAC address when it connects? > > (Just when I thought I was beginning to understand all of this...) > > --- On Tue, 3/29/11, Ben Wiechman <[email protected]> wrote: > >> You don't have the right CA >> certificate installed on the SM. Check the >> certificates listed under the Security tab in the SM and >> make sure >> that YOUR CA cert is shown in one of the two available >> slots. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
