Hi Alan, Thanks for your comments.
Define "downloaded".
Did you add that CA to the WiFi profile for the SSID?
I am creating a passpoint.config file for android devices and adding trust root CA certificate to profile. So yes Wifi profile has CA. I am using GlobalSign Trusted Root certificate both on android clients and freeradius. On freeradies what i did in tls config : tls-config tls-common { ca_file = /etc/freeradius/3.0/certs/trustrootg2.pem } "trustrootg2.pem" is the certificate which i said GlobalSign Trusted Root certificate. Also when i try with an ios device ,it does not give a CA error, but still dont Proxy to my home Radius. Here is the ios log : Received Access-Request Id 228 from 213.74.143.148:49579 to 10.0.0.4:1812 length 311 (2) User-Name = "iosuser2@nevotek.com" (2) Chargeable-User-Identity = 0x00 (2) Operator-Name = "1nevotek.com" (2) Location-Capable = Civic-Location (2) Calling-Station-Id = "74-8d-08-b1-f2-17" (2) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek" (2) NAS-Port = 4 (2) Cisco-AVPair = "audit-session-id=0a0102e1000001495fbd0ab0" (2) Acct-Session-Id = "5fbd0ab0/74:8d:08:b1:f2:17/395" (2) NAS-IP-Address = 10.1.2.225 (2) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031" (2) Airespace-Wlan-Id = 7 (2) Service-Type = Framed-User (2) Framed-MTU = 1300 (2) NAS-Port-Type = Wireless-802.11 (2) EAP-Message = 0x020300061500 (2) State = 0xc1d738d9c0d42d379f86d1a140b85bf5 (2) Message-Authenticator = 0xb6eaf292518a6a1b0412bcf447a369fa (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) eap: Peer sent EAP Response (code 2) ID 3 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xc1d738d9c0d42d37 (2) eap: Finished EAP session with state 0xc1d738d9c0d42d37 (2) eap: Previous EAP request found for state 0xc1d738d9c0d42d37, released from the list (2) eap: Peer sent packet with method EAP TTLS (21) (2) eap: Calling submodule eap_ttls to process data (2) eap_ttls: Authenticate (2) eap_ttls: Continuing EAP-TLS (2) eap_ttls: Peer ACKed our handshake fragment (2) eap_ttls: [eaptls verify] = request (2) eap_ttls: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 4 length 336 (2) eap: EAP session adding &reply:State = 0xc1d738d9c3d32d37 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 228 from 10.0.0.4:1812 to 213.74.143.148:49579 length 0 (2) EAP-Message = 0x01040150158000000528dea40bf695dd65cb94e7c64b46f8258e37d115bb5f05ad0b211b1baa131094fc84322e71cb87edc23a19c828d577c87f25ecca323b3e2dcc510401010075eb53b211d878436e2ddb265dee9684eb997a14467b69e48677af7b3f42eae785a2d3a56a072120c33db568484a78c4 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xc1d738d9c3d32d379f86d1a140b85bf5 (2) Finished request Thank you so much. [http://www.nevotek.com/nevotekmail/logo.png] Mesut Ozturk R&D Senior Developer P: +902122867576 E: mesut@nevotek.com F: +902122867476 W: www.nevotek.com [http://www.nevotek.com/nevotekmail/maps-icon.png] Santa Clara-CA, USA<https://www.google.com/maps/place/5201+Great+America+Pkwy+%23320,+Santa+Clara,+CA+95054,+USA/@37.4063062,-121.978682,923m/data=!3m2!1e3!4b1!4m5!3m4!1s0x808fc9cc6fc08be1:0xa189e7ab47ebcdc!8m2!3d37.4063062!4d-121.9764933?hl=en> [http://www.nevotek.com/nevotekmail/maps-icon.png] Istanbul, TURKEY<https://www.google.com/maps/search/teknokent,+Istanbul,+Turkey/@41.106333,29.015257,876m/data=!3m1!1e3?hl=en> [http://www.nevotek.com/nevotekmail/maps-icon.png] Dubai, UAE<https://www.google.com/maps/place/Internet+City,+Building+%2314+-+Dubai+-+United+Arab+Emirates/@25.0984488,55.1609574,1052m/data=!3m2!1e3!4b1!4m13!1m7!3m6!1s0x3e5f6b696d88a9ab:0x6d495147845cd0f1!2sInternet+City,+Building+%2314+-+Dubai+-+United+Arab+Emirates!3b1!8m2!3d25.0983618!4d55.1631953!3m4!1s0x3e5f6b696d88a9ab:0x6d495147845cd0f1!8m2!3d25.0983618!4d55.1631953?hl=en> [www.nevotek.com]<www.nevotek.com>