Client certs with MSCHAPV2 in PEAP

Norbert Wegener nw at
Mon Feb 27 17:03:43 CET 2006

>"Dave Huff" <dbhuff at <>> wrote:
>>/ > For EAP-TLS to work, the client certs have to be 
/>>/ > signed by the server cert.
/>>/ Signed by the server cert or by the CA cert?  I have a CA that signed the
/>/> server and client certs, and the eap.conf file knows where server and CA
/>/> certs are.
>  If you're using 1.0.x, that won't work.  It doesn't do certificate
>chains.  The client cert MUST be signed by the server cert.  Using a
>CA to sign them, both won't work.
>  I'm not even sure it will work in 1.1.0, to be honest.
>  Alan DeKok

In 1.1.0 I have chained client certificates and for me EAP-TLS works,
if the client does not require the server to authenticate itself. 
The client cert is not signed by the server cert. 
It seems to be neccessary,that if you have a root ca and an issuing ca, 
the CA_file must contain the certificates of both of them.
If the client requires the server to authenticate itself, the whole process fails.

Norbert Wegener

More information about the Freeradius-Users mailing list