The certificate dump shows that it has X509v3 extensions, with an X509v3 extended key usage, with the TLS Web Client Authentication attribute. Yet you've somehow interpreted this as a problem. Why? And why not just use the certificate? It would take you 10 minutes to try it, and hours to wait for a response from the list. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - First of all I ask you excuse for the confusion that I have made! Now I used the CA.all script for generated the certificates but when i tryed to authenticate the client, radius show me an error and close the request. I tryed freeradius-SNAP, 1.1.1, 1.0.X, and now use 1.1.2. I have installed openssl with command apt-get install libssl-dev that they are used in order to create certs by the CA.all or other and for the Tls. It's ok? I don't understand where is the fault! The radius config? the openssl used? The AP (dlink-900AP+). What I must make? I do not know more truly what to make! :-(