Client certs with MSCHAPV2 in PEAP

Dave Huff dbhuff at
Thu Feb 23 19:40:03 CET 2006


> -----Original Message-----
> From: aland at [mailto:aland at] On Behalf 
> Of Alan DeKok
> "Dave Huff" <dbhuff at> wrote:
> >   rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal 
> > certificate_unknown TLS Alert read:fatal:certificate unknown
>   SSL is telling FreeRADIUS that the certificate sent by the 
> client is bad.
That's what I thought too, but I configured the CA, server, and client certs
all on Openssl pretty much like

Windows is using the cert I installed from the linux box, at least I have a
choice in ProSET.  If Windows overrides for some reason, I wouldn't
know...can I set a debug mode that would tell me?
>   You're probably doing EAP-TLS where the server has one 
> cert, and the client has cert signed by someone else 
> entirely.  For EAP-TLS to work, the client certs have to be 
> signed by the server cert.
Signed by the server cert or by the CA cert?  I have a CA that signed the
server and client certs, and the eap.conf file knows where server and CA
certs are.

>   Alan DeKok.

More information about the Freeradius-Users mailing list