I hate to resurrect this long thread from July 22-28, but I have the same problem and never saw a resolution. I'm using FreeRadius 2.0.5 on CentOS 5.2 with wpa_supplicant 0.6.4 (latest to date). I'm using the bootstrap script to generate example certificates. I also created a client certificate using make client.pem. I configured wpa_supplicant with ca.pem, client.pem and client.key. EAP-TLS authentication fails with the "fatal unknown ca" message. If I hack the Makefile like Sergio mentioned last month to sign the client certificate with the CA key, then authentication succeeds. In last month's thread, Alan DeKok posted:
You need to follow the documentation in eap.conf.
# If CA_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = ${certdir}/server.pem
Have you done that?
In my case, CA_file does indeed refer to ca.pem as created by the bootstrap script. So I'm assuming that I don't need to touch the server.pem file as created. I'd really like to understand what's wrong. Could wpa_supplicant be somehow incompatible with the bootstrap certificate chain? Thanks