Different root CA for wpa_supplicant and freeradius

Alan DeKok aland
Tue Jan 29 07:43:37 PST 2008

Carolin Latze wrote:
>>   You can't have two root CA's for EAP-TLS.
> hm... so it seems that I really misunderstood EAP-TLS.... I found a
> tutorial for an EAP-TLS setup where I was asked to create my own CA,
> generate a root certificate, which signs the server and client
> certificates. I did never sign the client certificates using the server
> certificate itself.

  Careful use of terminology is important.  In this case, you are using
ONE root certificate, not two.  EAP-TLS works by authenticating client
certificates signed by a known certificate.  Subject to some
limitations, this known certificate can be the server certificate, or
ANY certificate that signs the server certificate, up to the root

> When I used wpa_supplicant to authenticate with
> freeradius I was able to get "EAP state = SUCCESS".

 If you're using FreeRADIUS, see the comments in raddb/eap.conf, and
raddb/certs/README for more information.  The current 2.0.1 release
explains some of the issues surrounding using multiple certificates for
EAP-TLS authentication.

> So I thought, the
> certificates were ok. I was never able to finish the connection setup,
> since I always got "WPA: Failed to set PTK to the driver." after EAP
> SUCCESS, but asking google I read that this is problem with my wlan
> card.. Am I wrong? What did I miss?

  You allowed the root CA to issue client certificates, and told the
server to accept them.  This means that the root CA can issue client
certificates without the server knowing.  If you own the root CA, that's
OK.  If the root CA is Verisign, that means *anyone* with a
Verisign-signed certificate can issue client certificates, and be
authenticated in your network.

  Alan DeKok.

More information about the Hostap mailing list