Use multiple certificates at the same time

[Jouni Malinen]

On Tue, Oct 25, 2011 at 03:59:04PM -0700, Ferguson, Dana R wrote:
> I work for Fluke networks and we are testing a device that authenticates to Radius servers. So we have created all of the supported certificates for both the CA and the Client. It would be much easier to test the 64 + variations of certificates if you could just enable all of them at the Radius server to be tested instead of one at a time.

How would you select which certificate to use? Based on the username? I
guess that could be done, but this doesn't certainly sound like the most
common functionality for a RADIUS server that is aimed at minimal use
cases in embedded devices.. ;-) I don't think that even many quite a bit
higher end RADIUS authentication servers support this (mainly the ones
that support multiple realms can probably have such configuration
possibility).

I would assume that this could be implemented by running multiple
instances of hostapd RADIUS server (you can do that with a single
process if desired, i.e., just specify multiple configuration files on
the command line with each one using a unique UDP port number) and using
a RADIUS proxy in front of that to direct requests based on the
username/realm to a specific UDP port.

If you think that that would not be enough to meet your needs, I would
like to hear somewhat more convincing arguments on why hostapd would
need such level of complexity.. Sure, it should be possible to extend
the internal RADIUS server to support multiple realms, but that is not
exactly the main focus area for hostapd development.

-- 
Jouni Malinen                                            PGP id EFC895FA