Problems with CA using PEAP/TTLS

Alan DeKok aland at
Tue Oct 11 22:45:58 CEST 2016

On Oct 11, 2016, at 4:28 PM, dump at wrote:
> I'm using freeradius 2.2.5 on debian for authentication of wireless
> access.

  You should upgrade to 3.0.12.  It may help.

> The problem is that authenticating clients (I'm using PEAP/TTLS)
> works only if the CA-certificate is ignored by the client side.

  Which means that the client doesn't have the CA installed.

> When
> trying to authenticate the clients using the CA in Network-Manager the
> authentication fails. The server certificate of freeradius is correctly
> signed and the public CA is selected at the clients (linux using
> Network-Manager).

  Ask the Network-Manager people why their software is broken. :(

> Is there a possibility to catch the server certificate on the client
> side after the transfer to the client. And then checking this server
> certificate signature against the locally installed CA-certificate by
> hand? For example using tcpdump?

  Use eapol_test.

  Alan DeKok.

More information about the Freeradius-Users mailing list