Thibault Le Meur wrote: > In order to avoid a complete breakout when I change the certificate of > my radius server (because a manual operation is required on the > supplicant side to select the new CA), I'd like to configure FR so that: > * when the WiFi client connects to the SSID1, the server uses the old > certificate and key, > * and when the client uses the SSID2, the radius server uses the new > certificate and key > > Is this possible ?
Yes. Others use multiple certs && multiple EAP modules. > The result so far is that with such setup my wireless clients can't > connect at all when they check the certificate, but can connect when > they don't (no matter what setup is done on the client side). Of course > I've installed the 2 certificates on the client to check this. > > A quick look at FR debug logs confirms, as far as I can read them, that > the client is refusing the radius server certificate. I don't think that's in the debug log. > Is there a client tool to check which certificate is used by FR ? wireshark might do it. > Have I missed something in the setup ? Did you test each piece in isolation before putting it all together? > I've tried to turn on Windows EAP log, but they aren't very easy to read > as far as TLS/TTLS/PEAP authentication is concerned ! They're horrible... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html