Client certs with MSCHAPV2 in PEAP

Alan DeKok aland at
Thu Feb 23 22:47:03 CET 2006

"Dave Huff" <dbhuff at> wrote:
> > For EAP-TLS to work, the client certs have to be 
> > signed by the server cert.
> Signed by the server cert or by the CA cert?  I have a CA that signed the
> server and client certs, and the eap.conf file knows where server and CA
> certs are.

  If you're using 1.0.x, that won't work.  It doesn't do certificate
chains.  The client cert MUST be signed by the server cert.  Using a
CA to sign them, both won't work.

  I'm not even sure it will work in 1.1.0, to be honest.

  Alan DeKok.

More information about the Freeradius-Users mailing list