[ttls] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate

Phil Mayers p.mayers at imperial.ac.uk
Sat Mar 1 12:32:19 CET 2014

On 01/03/14 09:08, Ben wrote:
> Hi all,
> In my quest to get TTLS working I'm making slow and painful progress.
> I've now reached this stage, I can see what Freeradius is complaining

Note: FreeRADIUS isn't complaining. It's printing an error that the 
client sent it, "bad certificate". Subtle but important.

> about but don't know how to fix it.  I've tried putting the root cert on
> the client, the intermediate cert on the client, the chain of
> intermediate+root on the client... nothing works !!!!
> What certificate am I supposed to be putting on the client to get TTLS
> working ?????

The CA root, if it isn't already present.

You also need to ensure that the "certificate_file" option under the 
eap{} module contains the server and all intermediate certs (you don't 
need to put the root on there).

If you've done that, then either there's something wrong with the certs, 
or something wrong with the client. Since it's the client complaining, 
you'll need to debug the client.

What is the client?

More information about the Freeradius-Users mailing list