If CRL (Certificate Revocation List) checking is enabled, then when the CRL expires and gets renewed the RADIUS service does not reload the CRL. This causes authentications to start to fail because the CRL being used by RADIUS is no longer valid. The workaround is to disable and then enable the RADIUS service. But, this has to be done monthly, which appears to be the frequency with which the CRL gets renewed.
I think the RADIUS service needs to be stopped and restarted automatically when the CRL gets renewed.
This is an issue with 2.0RC1. I have not yet upgraded to 2.0RC2. Has this bug been fixed already in that version?
I have now upgraded to 2.0RC2, and a month has passed, which means the CRL has expired once. I did not see a recurrence of the failure. So, either the bug is fixed in 2.0RC2 or else the failure is intermittent. I’ll assume the bug is fixed, but I’ll report back again if it returns.
Sadly, I was too hasty. The Certificate Revocation List got renewed again, and RADIUS stopped authenticating. The “Stop+Start RADIUS” procedure worked again. But, clearly the underlying problem still exists in 2.0RC2.