Hi, is it possible that make server generated a new CA etc?
I'd recommend making a copy of the current CA cert on each machine and doing a diff Regards, Matt Harlum On 24/03/2010, at 9:21 PM, sphaero wrote: > > Hi All, > > I've been searching the archives for a while on some guidance into setting > up multiple radius servers using the same CA for use with EAP/TTLS. > > I've generated a CA which is distributed to all the clients (i.e. SecureW2). > I've got 2 radius servers for redundancy. All NAS devices have two radius > server configured. > > I'm using the scripts from freeradius 2.0 to generate the certificates > according to instructions in the README. I've setup the ca.cnf and > server.cnf (not using eap/tls so I skip clients.cf). > > On the primary radius server I generated the certificates by issuing: > make > > Now on the second radius server I just copy the following files: > /certs/ca.pem > /certs/ca.key > /certs/ca.der > /certs/*.cnf > /certs/Makefile > /certs/README > /certs/xpextensions > > and issue: > make server > make dh > > This seems to have worked. But is this really correct? > I'm renewing one radius server and did this procedure again but now I'm > receiving "chain could not be validated" errors in SecureW2. Radius log > seems fine however EAP communication is not finished which corresponds with > the client stopping communication since it can't validate the certificate. > I'm really getting lost in the SSL jungle? I would really like to understand > how this is done right, since it is about security. > > Rg, > > Arnaud > -- > View this message in context: > http://old.nabble.com/Multiple-radius-servers-with-the-same-CA-tp28013061p28013061.html > Sent from the FreeRadius - User mailing list archive at Nabble.com. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html