Migrating FR3 instance

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Migrating FR3 instance

thyde_rsi
Greets - I would like to migrate a test platform I have in a VM (FR3
3.0.12 on Debian 9) to a bare-metal deployment of same, but keep the
client certificates as used in the VM instance. The bare-metal version
already has other things installed, including a clean copy of FR3, so
it's not as easy as simply imaging the appliance back to bare-metal. I
am using eap-tls auth for a NAS, and wireless clients already have both
the ca certificate and client certificates installed on them and
functional. Given that this is a bare-metal install target that still
has the snakeoil/testing certificates installed, is there a
preferred/working method to copy the existing certs across and not
destroy the entire system in the process? I expect I will have to copy
the .cnf files for some items, but how does the ca structure (since I
*think* I am also using CA validation in my eap module) get copied over?

Thanks,

Ted.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Migrating FR3 instance

Matthew Newton-3
On Fri, 2019-11-01 at 16:22 -0400, Ted Hyde (RSI) wrote:

> Greets - I would like to migrate a test platform I have in a VM (FR3
> 3.0.12 on Debian 9) to a bare-metal deployment of same, but keep the
> client certificates as used in the VM instance. The bare-metal
> version
> already has other things installed, including a clean copy of FR3,
> so
> it's not as easy as simply imaging the appliance back to bare-metal.
> I
> am using eap-tls auth for a NAS, and wireless clients already have
> both
> the ca certificate and client certificates installed on them and
> functional. Given that this is a bare-metal install target that
> still
> has the snakeoil/testing certificates installed, is there a
> preferred/working method to copy the existing certs across and not
> destroy the entire system in the process?

FreeRADIUS only uses the certs/keys that are given in the
configuration. So look in mods-enabled/eap (or other similar locations)
and see what files are being included. If they're still in the normal
place then they'll be in the certs/ dir.

Likelihood is it's just a certificate file (possibly with the full
chain), a key file, and a ca root cert file.

"freeradius -XC | grep pem" will probably list everything.

Just copy those over.

Back up the config before you start so you can roll back if needs be
and you can't really go wrong.

--
Matthew


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html