ePMP Radius EAP-TLS certificate 2


We are planning to upgrade our radius and the certificate we have been using is no longer sufficient. I have been able to add a second radius server certificate (user cert 2) to our PMP450 SMs and they will connect to our new server in testing along with our current server in production.

Unfortunately with ePMP the user cert 2 does not seem to be used. Even with the correct second cert uploaded to a test SM I am getting a TLS certificate error in radius. The only way to force EAP-TLS authentication with the new certificate is to delete user cert 1 but then I can no longer connect to the production radius server.

I need to be able to have 2 certificates in place on all SMs (I have been able to do this with cnMaestro templates as clients come online) and then switch over the radius servers at a suitable time.

Has anyone been able to get user cert 2 to work on ePMP?


Not sure how this got missed but

Epmp uses one cert entry for the certificate and the other for the chain certificate. If you are using self-signed, then you can add a second cert, but only one is used. This allows you to add a certificate and delete the old one without loosing the SM authentication.

I am not sure if this is intended behavior but this is how it worked when we were running self-signed certificates. Now we run a public certificate so unless the chain cert has to be swapped, we just write over the old certificate when needed.

1 Like

Hi Douglas,

Thanks for the input, that is the behaviour I would expect but having just updated my test deployment to 4.7 I am still failing to get EAP authentication with the second user cert (until I delete the old one).

IT would have been better to have it behave the same as the 450 radios (use second cert if first fails) to ease rollout to CPEs which are only online intermittently, but this is what we’ve got…


There is a fundamental difference in how certs are handled in the epmp vs pmp450 radios. This has to do with how the radios OS actually works and is fairly long winded topic. Suffice to say, the epmp looks at both feilds for the cert and its chain where the pmp450 requires the chin and cert in a single file and thus with the single file, two fields are not needed and both can be used separately. However with the epmp, you are generally better off with the chain file in field1 and the cert in field 2 but the epmp can use a combined chain and cert file and so will ignore the other field unless the first is empty. This also means that the default certs must be disabled too.