help seeing more debugging EAP-TTLS handshake

Rohan Mahy rohan.mahy at
Fri Sep 25 17:22:23 CEST 2015

Hi Alan,
Attached are the server cert (, the CA cert (CN=Remind
CA), and the mobileconfig file.

- The CA cert is SHA256 and the server cert is SHA-1
- server cert has basic constraints CA false.  CA cert has basic
constraints CA true
- DH key is 1024
- The server cert DOES NOT have a SubjectAltName.  Do I need to do add one?
I'm used to using SubjectAltName in certs for HTTPS and IMAP where you are
matching the target domain, but I haven't been able to find a document that
says what to put in the CN/SubjectAltName for 802.1x.  I was originally
going to put the SSID name as a string, but I saw a vague example of a
domain name in an Apple guide where they mentioned wildcards.  Any
suggestions here?


On Fri, Sep 25, 2015 at 7:01 AM, <A.L.M.Buxey at> wrote:

> Hi,
> > My problem with the Macs is figuring out what they do not like about the
> > server certificate.
> can you provide your server cert?
> Macs will care about things like
> is it SHA1 or SHA256 (and not MD5)  - is the CA SHA1 or SHA256 too?
> does the server cert have CA = false  or can the server cert be a CA too?
> (CA = True) - ie no contraints
> does the server cert have a Common Name and a SubjectAltName by the way?
> it could be TLS negoitation failing - if the cipher method is DH-based -
> whats the size
> of your DH key - needs to be 1024bit or more
> start with those
> alan
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list