about freeradius support

David Wood david at wood2.org.uk
Sat Jun 28 17:58:00 CEST 2008

Hi Sergio,

In message <48676BB9.1040409 at alumnos.upm.es>, Sergio Yébenes Moreno 
<sergioyebenes at alumnos.upm.es> writes
>I'm configuring freeradius server with opensc client-side. I'd like to 
>say if freeradius has support for PKCS#11.
>In wpa_supplicant log I see how client writes TLS-ChangeCipherSpec and
>TLS-Finished. This means that the server has authenticated but 
>freeradius show TLS error because client do not send
>certificate. I think it's because PKCS#11. I'm not sure, but I really 
>need to know. I'm using

The server doesn't care where the certificates and private key are 
stored on the client side; the use of PKCS#11 and a smartcard or token 
is irrelevant and the server needs no special support for PKCS#11.

The only way the use of the smartcard or token could change things is if 
your supplicant needs the entire certificate chain on the smartcard or 
token, and you've only loaded the certificate itself.

The only reason the server would need PKCS#11 support is if the server's 
certificate were on a smartcard or token. It's an intriguing idea, but I 
have my doubts that a smartcard or token would keep up with the demands 
placed on it.

As Nicolas said, the debug log on the server side almost certainly 
contains the answer to this - that's where you should be looking.

Run radiusd -X and attempt to authenticate using wpa_supplicant and your 
token or smartcard. What does the server's debug output say? If you can 
see the server rejecting the authentication attempt, look back for the 
reason. If the server accepts the authentication attempt, the problem is 

Best wishes,

David Wood
david at wood2.org.uk

More information about the Freeradius-Users mailing list