Different root CA for wpa_supplicant and freeradius

Carolin Latze carolin.latze
Tue Jan 29 23:28:19 PST 2008

Alan DeKok wrote:
> Carolin Latze wrote:
>>>   You can't have two root CA's for EAP-TLS.
>> hm... so it seems that I really misunderstood EAP-TLS.... I found a
>> tutorial for an EAP-TLS setup where I was asked to create my own CA,
>> generate a root certificate, which signs the server and client
>> certificates. I did never sign the client certificates using the server
>> certificate itself.
>   Careful use of terminology is important.  In this case, you are using
> ONE root certificate, not two.  EAP-TLS works by authenticating client
> certificates signed by a known certificate.  Subject to some
> limitations, this known certificate can be the server certificate, or
> ANY certificate that signs the server certificate, up to the root
> certificate.
Yes, in this case, it is only _one_ root certificate... I just described
this setup to ask whether I really need to sign client certificates
using the server certificate. That issue is solved now. But in the
future, I plan to use _two_ root certificates. My first mail was written
to ask for that future setup...
>> When I used wpa_supplicant to authenticate with
>> freeradius I was able to get "EAP state = SUCCESS".
>  If you're using FreeRADIUS, see the comments in raddb/eap.conf, and
> raddb/certs/README for more information.  The current 2.0.1 release
> explains some of the issues surrounding using multiple certificates for
> EAP-TLS authentication.
Ok thanks.. I read the comments in eap.conf, but was not sure about the
client side, therefore, I asked.
>> So I thought, the
>> certificates were ok. I was never able to finish the connection setup,
>> since I always got "WPA: Failed to set PTK to the driver." after EAP
>> SUCCESS, but asking google I read that this is problem with my wlan
>> card.. Am I wrong? What did I miss?
>   You allowed the root CA to issue client certificates, and told the
> server to accept them.  This means that the root CA can issue client
> certificates without the server knowing.  If you own the root CA, that's
> OK.  If the root CA is Verisign, that means *anyone* with a
> Verisign-signed certificate can issue client certificates, and be
> authenticated in your network.
Ok, thats clear now... So we misunderstood each other.

Thats for explanations.


More information about the Hostap mailing list