1

Is it possible to run FreeRadius (version 3.0.13) with two different CAs? So that I have a server certificate from one CA and the client certificates come from a different CA?

Our current setup in /etc/raddb/mods-enabled/eap looks a bit like that:

...
tls-config tls-common {
  certificate_file = ${certdir}/server.pem  # certificate only from CA ONE
  ca_file = ${cadir}/ca.pem                 # complete chain from CA TWO
  auto_chain = no
  ca_path = ${cadir}                        # contains all certs/complete chains from both CAs
}
...

And this is the error that I see in the logs:

Mon Dec 20 13:15:30 2021 : ERROR: (352) eap_tls: ERROR: TLS Alert read:fatal:unknown CA
Mon Dec 20 13:15:30 2021 : ERROR: (352) eap_tls: ERROR: TLS_accept: Failed in error
Mon Dec 20 13:15:30 2021 : ERROR: (352) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)

Once clients and the server got their certificates from the same CA everything worked fine.

So is it even possible to have different CAs for server and client? If yes what would I have to do to accomplish this task?

Thomas
  • 145
  • 1
  • 5

1 Answers1

0

With some help from Alan DeKok of the FreeRadius mailing list the problems could be solved.

First off we needed to only use ca_path without ca_file in addition. Then we put all CA certificates into the ca_path directory.

Finally the client also needed the root CA for the server certificate. And then the clients could finally connect:

Tue Jul  5 12:33:37 2022 : Auth: (14) Login OK: [USER] (from client ap port 111 cli 111.1111.1111)
Thomas
  • 145
  • 1
  • 5