EAP-TLS authentication issue
Alan DeKok
alan.dekok at inkbridge.io
Tue Dec 16 18:38:11 UTC 2025
On Dec 16, 2025, at 10:17 AM, Aubin, Dylan via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I try to configure a private network with a WiFi Access Point using WPA3-Enterprise with a RADIUS server on a Raspberry Pi 3 Model B with FreeRADIUS (v3.2.7) and EAP-TLS 1.3 as authentication protocol. I ran the bootstrap script file to generate the example PKI, I installed client key/certificate and CA certificate on my Windows 11 PC. It works well.
> However, after generating my own PKI with the same pattern (One CA generating a server certificate and a client certificate), and installing client key/certificate and CA certificate in my certificate store the same way I did for example ones, it doesn't work.
> From the debug output it seems that client PC says that the server certificate is issued by an unknown CA but it is installed the same way that the example one.
This is really an issue for the client side. There isn't much you can to do FreeRADIUS to make the client recognize the CA.
> Also, I verified that the server certificate from my custom PKI is correct and has been issued by the custom CA whose certificate is installed in my PC's certificate store. I made sure also I added the correct usage extension for WiFi.
> I can't find solution on the web or similar problem, neither from Chat-GPT.
Chat-GPT is useless.
You'll have to figure out why the client hasn't installed the CA properly. Once the CA is installed, EAP-TLS should work.
Alan DeKok.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20251216/42d5eca2/attachment.sig>
More information about the Freeradius-Users
mailing list