Different root CA for wpa_supplicant and freeradius

Carolin Latze carolin.latze
Tue Jan 29 04:02:27 PST 2008

Alan DeKok wrote:
> Carolin Latze wrote:
>> I plan to use different root CAs for the authentication server
>> (freeradius) and the peers (wpa_supplicant) in EAP-TLS.
>   I'm not sure what you mean by that.  EAP-TLS involves a client
> certificate which is signed by a server certificate.  The server
> certificate may or may not be signed by a root CA.
>   You can't have two root CA's for EAP-TLS.
hm... so it seems that I really misunderstood EAP-TLS.... I found a
tutorial for an EAP-TLS setup where I was asked to create my own CA,
generate a root certificate, which signs the server and client
certificates. I did never sign the client certificates using the server
certificate itself. When I used wpa_supplicant to authenticate with
freeradius I was able to get "EAP state = SUCCESS". So I thought, the
certificates were ok. I was never able to finish the connection setup,
since I always got "WPA: Failed to set PTK to the driver." after EAP
SUCCESS, but asking google I read that this is problem with my wlan
card.. Am I wrong? What did I miss?


More information about the Hostap mailing list