I am trying to configure free radius with multiple ROOT CA's. This is not a products environment it is purely a test environment. We need the ability to test out products against freeradius and other radius servers. using multiple different certificate sizes and ROOT CA's.
I currently have the following in my EAP.conf file. Based on the way I read the eap.conf file this would be the correct way of doing it. Here is what happens. I can authenticate against the first ROOT CA no matter which one it is as long as its the first in the list. its like all other CA's are ignored. In the below as you can see I have commented out the first few ROOT CAs and the 1024ca.pem is the current first in the list. I am able to authenticate against this one but none past. if I comment out 1024 then I can authenticate against the next. Any help would be greatly appreciated.
I had read on another forum that in order to support multiple ROOT CAs you just put them all in the same file. I tried this as well with just the certs as well as with the certs and the private keys neither seemed to work. I believe that was on a Radius 1.x server though so maybe
Freeradius 2.1.10
Ubuntu 10.04
Thanks,
#certdir = ${confdir}/certs
#cadir = ${confdir}/certs
#certdir = /etc/freeradius/certs20080204
#cadir = /etc/freeradius/certs20080204
certdir = /etc/freeradius/Certs11-20-2011/client/pem
cadir = /etc/freeradius/Certs11-20-2011/CA/pem
#private_key_password = whatever
#private_key_file = ${certdir}/server.pem
private_key_password = passphrase
#private_key_file = ${certdir}/1010Client.pem
private_key_file = ${certdir}/1024_1024client.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
#certificate_file = ${certdir}/server.pem
#certificate_file = ${certdir}/1010Client.pem
certificate_file = ${certdir}/1024_1024client.pem
# Trusted Root CA list
#
# ALL of the CA's in this list will be trusted
# to issue client certificates for authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
#
# This parameter is used only for EAP-TLS,
# when you issue client certificates. If you do
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
#CA_file = ${cadir}/ca.pem
#CA_file = ${cadir}/PV_10_CA.pem
#CA_file = ${cadir}/CA/pem/1024ca.pem
#CA_file = ${cadir}/512ca.pem
#CA_file = ${cadir}/768ca.pem
CA_file = ${cadir}/1024ca.pem
CA_file = ${cadir}/1280ca.pem
CA_file = ${cadir}/1536ca.pem
CA_file = ${cadir}/1792ca.pem
CA_file = ${cadir}/2048ca.pem
CA_file = ${cadir}/4096ca.pem
I currently have the following in my EAP.conf file. Based on the way I read the eap.conf file this would be the correct way of doing it. Here is what happens. I can authenticate against the first ROOT CA no matter which one it is as long as its the first in the list. its like all other CA's are ignored. In the below as you can see I have commented out the first few ROOT CAs and the 1024ca.pem is the current first in the list. I am able to authenticate against this one but none past. if I comment out 1024 then I can authenticate against the next. Any help would be greatly appreciated.
I had read on another forum that in order to support multiple ROOT CAs you just put them all in the same file. I tried this as well with just the certs as well as with the certs and the private keys neither seemed to work. I believe that was on a Radius 1.x server though so maybe
Freeradius 2.1.10
Ubuntu 10.04
Thanks,
#certdir = ${confdir}/certs
#cadir = ${confdir}/certs
#certdir = /etc/freeradius/certs20080204
#cadir = /etc/freeradius/certs20080204
certdir = /etc/freeradius/Certs11-20-2011/client/pem
cadir = /etc/freeradius/Certs11-20-2011/CA/pem
#private_key_password = whatever
#private_key_file = ${certdir}/server.pem
private_key_password = passphrase
#private_key_file = ${certdir}/1010Client.pem
private_key_file = ${certdir}/1024_1024client.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
#certificate_file = ${certdir}/server.pem
#certificate_file = ${certdir}/1010Client.pem
certificate_file = ${certdir}/1024_1024client.pem
# Trusted Root CA list
#
# ALL of the CA's in this list will be trusted
# to issue client certificates for authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
#
# This parameter is used only for EAP-TLS,
# when you issue client certificates. If you do
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
#CA_file = ${cadir}/ca.pem
#CA_file = ${cadir}/PV_10_CA.pem
#CA_file = ${cadir}/CA/pem/1024ca.pem
#CA_file = ${cadir}/512ca.pem
#CA_file = ${cadir}/768ca.pem
CA_file = ${cadir}/1024ca.pem
CA_file = ${cadir}/1280ca.pem
CA_file = ${cadir}/1536ca.pem
CA_file = ${cadir}/1792ca.pem
CA_file = ${cadir}/2048ca.pem
CA_file = ${cadir}/4096ca.pem
Thanks,
Kris Armstrong CCNP, CCDP, MCSE, Security+, A+ Cell Ph:719.440.30.79 Google Voice: 719.357.5821 Fax Ph: 866.390.8416 E-Mail: [email protected] Skype: [email protected] FaceTime: [email protected]
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
