[RADIATOR] Presenting two server certificates during a EAP-TLS session. Is that possible at all.

Hugh Irvine hugh at open.com.au
Mon May 24 03:44:52 CDT 2010 

Hello Anders -

Unfortunately there is no easy way to do this.

Radiator needs some way to identify which clients are which so the RADIUS requests can be routed to the appropriate Handler and AuthBy (with different certificates in each one).

You can do this by altering the usernames to include something meaningful in the Realm suffix, or you can maintain a list that Radiator can access which will direct Radiator where to send the requests.

You can either use AuthBy RADIUS requests to proxy the requests to separate instances of Radiator, or you can use the AuthBy HANDLER clause to redispatch the requests internally.

Or another alternative might be to have the client devices point to different Radiator instances for the different certificates.

hope that helps

regards

Hugh


On 24 May 2010, at 15:05, Anders Nilsson wrote:

> Hi,
>  
>  
> During a meeting with my colleagues a discussion began whether it’s at possible to present two server certificates with different CA:s at the same time.
> For several practical reasons we are more or less forced to change the rootCA and therefore we are facing a situation where all the users have to reconfigure their wireless supplicant setting at a specific time.
> Therefore it would seem very practical if there was a possibility to use both server certificates at the same time.
> To my knowledge it is not possible to do this but if someone could prove me wrong I would be very happy.  ;)
>  
>  
>  
> So my questing really boils down to if the following is possible to work?
>  
>  
> <Handler Realm=/^(UMU\.SE)$/i, EAP-Message=/.+/>
>         AuthByPolicy ContinueWhileReject
>             <AuthBy LDAP2)
>>>             EAPTLS_CertificateFile %D/OneServerCert
>             </AuthBy>
>             <AuthBy LDAP2>
>             ….
>             ….
>             EAPTLS_CertificateFile %D/AnotherServerCert
>                       </AuthBy>
>  
>  
> Of course if there’s another way to do this which I’ve overlooked I’d be very happy if someone could help me.
>  
>  
>  
> Cheers
> Anders Nilsson
> Network consultant
> Umeå university
> SUNET  Sweden
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list