To repeat my previous email - xsupplicant does not have a CA cert that allows it to trust the server.
The line:
Loaded root certificate /etc/raddb/certs/cert-clt.pem
...looks wrong. It looks as if you've told xsupp that the CA cert is the client cert, which it isn't. They're different things.
In FreeRadius, the "eap.conf" file will have:
eap { tls { certificate_file = /path/to/file.pem } }
...and if you run (against that file):
openssl x509 -noout -text -in /path/to/file.pem | egrep '(Subject|Issuer):'
...you'll get something like:
Issuer: C=US, O=MyOrg, OU=MyCA, CN=My Certificate Authority Subject: C=US, O=MyOrg, OU=MyCA, CN=wireless.myorg.com
The certificate you supply to the CLIENT as the *CA* must be the ISSUER cert - that is, the one with:
Subject: C=US, O=MyOrg, OU=MyCA, CN=My Certificate Authority
I would glance at the xsupp documentation to give more advice but the crapforge^Wsourceforge docs links appears to lead in a loop. This is one reason amongst many others you should seriously consider using wpa_supplicant on the clients.
I have a feeling that I've ruined my CA, and I need to re-create my FreeRadius CA. Now, I've re-examined how to make a CA repeatedly, and everything says something different. my CA.pl is located on /etc/pki/tls/misc Given this is the case, from scratch, what is the best way to create a "Fresh" CA for FreeRadius. I've tried multiple documents from Ubuntu to RedHat, (Mandriva doesn't offer any documentation themselves.) So, in the absense of qualified docs, recommendation?