xia sihua wrote: ...
CA_file = ${cadir}/ca.pem ....
The supplicant I use TeraDot1x Tester from Spirent communication. ... Configuration: ... Root Certificate Filename: server.pem
I think that should be "ca.pem".
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA
Yes, the client is telling you that it doesn't know anything about ca.pem.
If I change Root Certificate Filename from server.pem to ca.pem, will come out following error. .... eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert read:fatal:bad certificate
Ask the supplicant vendor why they don't like the certificate we provide.
If I use those certificates provided by spirent, can pass. I donot know why? Any ideas?
Print out the spirent certificates, and post the result here. Maybe there's some extra magic needed. $ openssl x509 -text -in spirent.crt Alan DeKok.