Fw: EAP-TLS problem

Bryan Kadzban bryan
Tue Jun 12 15:39:15 PDT 2007

Hash: RIPEMD160

shantanu choudhary wrote:
> i am using cerificates generated from the server itself and they are
> self signed.

Then they will have to be trusted by wpa_supplicant.

> with windows using same set of certificates i am able to get
> connected to AP.

I suspect that's because Windows is set up so it doesn't require a valid
cert from the server.  But it doesn't really matter.

> ca_cert="/etc/wpa_supplicant/root.pem"

If your RADIUS server is using a self-signed cert, then that self-signed
cert needs to be named in this option, not root.pem.  The ca_cert option
controls which certs the supplicant will accept from the RADIUS server:
the RADIUS server has to use a cert that's signed by the cert in the
ca_cert file.  (This is for client-side security, so the client doesn't
associate with a network served by an untrusted RADIUS server.)

I am assuming that root.pem is the CA that signed the client cert you're
using (shan.pem), right?  I don't think the client cert's signer needs
to be listed in the ca_cert option; I think the only thing controlled by
that option is which server certs are valid.
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Hostap mailing list