See the "scripts" directory that comes with FreeRADIUS. There's a "CA.certs" script which tries to create sample certificates.
It turns out that this was the pointer I needed. Note that the CA.certs script is a little broken, but it's broken in obvious ways that are easily fixed. A fixed version is attached. Once I got the script working, set the correct cert pathnames in eap.conf, and loaded the new certs onto my XP laptop, everything worked just fine. I will note however that if I try to set: check_cert_cn = %{User-Name} in the "tls" section of eap.conf, then I am unable to connect to the network with EAP/TLS. I don't fully understand from the docs what this parameter is doing exactly. Is this supposed to work? Is there some configuration (perhaps in my users file) that I'm missing? What is the impact of NOT setting this parameter? Also, another note for folks using DLink gear like I am. If you are turning on MAC filtering, be sure to include the MAC address of your radius server in the list of allowed MAC addresses or else authentication will fail (at least on the DI-784 like I have). My initial assumption had been that the MAC filtering only applied to which wireless NICs should be allowed to connect, but I was obviously wrong about that. -- Hal Pomeranz, Founder/CEO Deer Run Associates hal@deer-run.com Network Connectivity and Security, Systems Management, Training