PEAP-MSCHAPv2 replace snakeoil certificates

Olivier Mahieu o_mahieu at
Fri Jan 10 20:12:12 CET 2020


I'm configuring a FreeRadius Ubuntu server to replace Windows NPS server.
The Domain Controller is CA as well.

The server is part of the domain and MSCHAP is configured.

The "$ radtest -t mschap testuser testpassword 0 testing123" works as well.

Now, I want to replace the snakeoil certificate  by a generated server certificate, signed by Windows CA.

I generated freeradius.cer (Signed by Win CA), freeradius.key and placed them in dir's below. ALso the Win root CA, I added in /usr/local/share/ca-certificates.


Following, when I change eap like below; even with absolute path instead of ${certdir}; I get freeradius failure.


Systemctl restart freeradius: failure.
radtest -t fails as well...

Can someone point me the right direction? Thanks!!!


-------------- next part --------------
A non-text attachment was scrubbed...
Name: pastedImagebase640.png
Type: image/png
Size: 12996 bytes
Desc: pastedImagebase640.png
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pastedImagebase641.png
Type: image/png
Size: 7004 bytes
Desc: pastedImagebase641.png
URL: <>

More information about the Freeradius-Users mailing list