EAP-TLS authentication issue
Aubin, Dylan
daubin at marport.com
Tue Dec 16 09:17:45 UTC 2025
Hi,
I try to configure a private network with a WiFi Access Point using WPA3-Enterprise with a RADIUS server on a Raspberry Pi 3 Model B with FreeRADIUS (v3.2.7) and EAP-TLS 1.3 as authentication protocol. I ran the bootstrap script file to generate the example PKI, I installed client key/certificate and CA certificate on my Windows 11 PC. It works well.
However, after generating my own PKI with the same pattern (One CA generating a server certificate and a client certificate), and installing client key/certificate and CA certificate in my certificate store the same way I did for example ones, it doesn't work.
>From the debug output it seems that client PC says that the server certificate is issued by an unknown CA but it is installed the same way that the example one. Also, I verified that the server certificate from my custom PKI is correct and has been issued by the custom CA whose certificate is installed in my PC's certificate store. I made sure also I added the correct usage extension for WiFi.
I can't find solution on the web or similar problem, neither from Chat-GPT.
Attached to this email, you will find both freeradius -X outputs from the example CA and the custom one. Also, you will find the certificates from both PKI.
Have a good day,
D. AUBIN
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: freeradius_logs_custom_pki_p384.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20251216/fe27c311/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: freeradius_logs_example_pki.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20251216/fe27c311/attachment-0003.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Raspberry-RADIUS-Server.crt
Type: application/octet-stream
Size: 3020 bytes
Desc: Raspberry-RADIUS-Server.crt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20251216/fe27c311/attachment-0006.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Root-CA.crt
Type: application/octet-stream
Size: 2844 bytes
Desc: Root-CA.crt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20251216/fe27c311/attachment-0007.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TEST-PC.crt
Type: application/octet-stream
Size: 2847 bytes
Desc: TEST-PC.crt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20251216/fe27c311/attachment-0008.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ca.pem
Type: application/octet-stream
Size: 1785 bytes
Desc: ca.pem
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20251216/fe27c311/attachment-0009.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: client.crt
Type: application/octet-stream
Size: 4740 bytes
Desc: client.crt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20251216/fe27c311/attachment-0010.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: server.crt
Type: application/octet-stream
Size: 4890 bytes
Desc: server.crt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20251216/fe27c311/attachment-0011.obj>
More information about the Freeradius-Users
mailing list