FreeRadius with mixed CAs

Thomas

5/19/23, 8:28 AM

Is it possible to run FreeRadius (version 3.0.13) with two different CAs? So that I have a server certificate from one CA and the client certificates come from a different CA?

Our current setup in /etc/raddb/mods-enabled/eap looks a bit like that:

...
tls-config tls-common {
  certificate_file = ${certdir}/server.pem  # certificate only from CA ONE
  ca_file = ${cadir}/ca.pem                 # complete chain from CA TWO
  auto_chain = no
  ca_path = ${cadir}                        # contains all certs/complete chains from both CAs
}
...

And this is the error that I see in the logs:

Mon Dec 20 13:15:30 2021 : ERROR: (352) eap_tls: ERROR: TLS Alert read:fatal:unknown CA
Mon Dec 20 13:15:30 2021 : ERROR: (352) eap_tls: ERROR: TLS_accept: Failed in error
Mon Dec 20 13:15:30 2021 : ERROR: (352) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)

Once clients and the server got their certificates from the same CA everything worked fine.

So is it even possible to have different CAs for server and client? If yes what would I have to do to accomplish this task?

0 + 0

certificate

pki

certificate-authority

freeradius

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: FreeRadius with mixed CAs

TH: FreeRadius พร้อม CA แบบผสม

RO: FreeRadius cu CA mixte

RU: FreeRadius со смешанными центрами сертификации

VI: FreeRadius với CA hỗn hợp

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.