|
Good afternoon All,
I've taken some time over the last couple little while to work with my test environment in getting it upto date and trying out some issues with regards authenticating against multiple certificates on a single SSID for the purpose of migration to a new root certificate while still continuing to function with the old in the transition phase.
What I'm finding tho is that when I try to authenticate against that particular server, which now has both its own certs applied and the root cert from my production server as well to replicate the instance of a new root being installed, is that I can authenticate a user with the specific certs for the test server, but not a client using certs for the production server.
I've taken a few captures of the server coming online using -X, an attempted connection with the production certs and also the configuration of my eap.conf file. I can see in initial stages that the EAP-TLS actually reads a bit of what the client is passing, enough to say that it has a valid client cert. But when it comes back to dive deeper into the cert, it appears that it does not recognize the CA as being there and bottoms out the request with a reject.
I've got both roots in a single file in the directory specified and when I do an openssl verify on the roots, it does come back :ok. I found some articles on how to link up the new certificate in openssl so that it can at least read it properly as trusted. But the FR server appears not to recognize it on the second pass. Perhaps I'm missing something, but is it even possible to authenticate using both root CA's at one time?
Thank you in advance for any assistance / guidance anyone can provide with this.
Regards,
Mitch
Mitch Yackobeck, MCSE, MCSA, MCP, CCNA, CompTia Network+
Network Systems Administrator
Renfrew County District School Board
1270 Pembroke Street West
Pembroke, ON K8A 4G4
Phone: (613) 735-0151 Ext. 2278
|
<<inline: 5132013_14104_0.jpg>>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
