Proxy to realm after eap-ttls authantication

Alan DeKok aland at
Tue Nov 24 14:15:36 CET 2020

On Nov 24, 2020, at 2:36 AM, Mesut Ozturk <mesut at> wrote
>> The Android device wasn't configured with the CA used by FreeRADIUS.  So... add the CA to the android system, and configure it to use that CA when authenticating to FreeRADIUS.
> I created freeradius CA certificate according to link. Then eap config for using new created ca.pem

  That's nice, but not what I said to do.

> Also i downloaded ca.pem file to my Android device but still getting same error.

  Define "downloaded".

  Did you add that CA to the WiFi profile for the SSID?

> eap_ttls: ERROR: TLS Alert read:fatal:unknown CA
> I dont understand what you mean with "use that CA when authenticating to FreeRADIUS". What i read in EAP-TTLS, auth server sends the certificate and client validates for open a secure tunnel. Why client have to sent the certificate ?

  The client doesn't have to send a certificate.  The client has to TRUST the CA which has signed the server certificate.

  How can the client validate the server certificate, unless the client knows the CA?

  Alan DeKok.

More information about the Freeradius-Users mailing list