need help - force EAP-TTLS to validate the server certificate

John Dennis jdennis at
Fri Sep 17 17:26:56 CEST 2010

On 09/17/2010 11:00 AM, Klaus Laus wrote:
> thanks a lot for your answer.
>> Either move the "files" module before "eap", or use unlang to set it:
>> authorize {
>>     ...
>>     update control {
>>       EAP-TLS-Require-Client-Cert = yes
>>     }
>>     eap
>>     ...
>> }
> I did the changes in the authorize section, and freeradius seems to require the client certificate. But the server is not accept my certificate. I don't think that the certificate is bad because I can login any client with the same certificate when I use TLS instead of PEAP.
> This is my way to login with PEAP on a windows xp client maybe I do anything wrong? :
> I import the pksc12 certificate from the freeradius server in the windows xp certificate management. When I type certmgr.msc under "run" I can see that the certificate is successfully imported. Then I scan for the wireless networks and connect to wifix, I use PEAP with MSCHAP v.2 and type in testuser as user with the correct password.
> Here you can see the debug output (freeradius did not find my certificate):

That's right, the server didn't get your cert, it's right in the debug. 
As Alan said this isn't a server issue, it's a client issue, figure out 
why your client is not returning a cert.

> TLS Alert write:fatal:handshake failure
>      TLS_accept:error in SSLv3 read client certificate B
> rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
> SSL: SSL_read failed in a system call (-1), TLS session fails.
John Dennis <jdennis at>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list