Client certs with MSCHAPV2 in PEAP

Robert Myers ccrider at
Thu Feb 23 23:18:06 CET 2006

Does this only apply if the supplicant uses a server cert during eap/tls?

The reason I ask, is that I'm using a client cert signed by my CA to do 
eap/tls, and it's working.  I have not implemented the server cert as of 


Alan DeKok wrote:
> "Dave Huff" <dbhuff at> wrote:
>>> For EAP-TLS to work, the client certs have to be 
>>> signed by the server cert.
>> Signed by the server cert or by the CA cert?  I have a CA that signed the
>> server and client certs, and the eap.conf file knows where server and CA
>> certs are.
>   If you're using 1.0.x, that won't work.  It doesn't do certificate
> chains.  The client cert MUST be signed by the server cert.  Using a
> CA to sign them, both won't work.
>   I'm not even sure it will work in 1.1.0, to be honest.
>   Alan DeKok.
> - 
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list