hostapd + freeradius: unknown ca error

Jouni Malinen j
Sun Jan 12 07:41:12 PST 2014

On Sun, Jan 12, 2014 at 04:37:36PM +0100, Svein Olav Bjerkeset wrote:

> However when hostapd contacts the radius server, it uses EAP-TLS, and after
> some traffic back and forth, hostapd sends a fatal error back to the radius
> server stating that the CA is unknown.

That's not originating from hostapd/Authenticator. It is from the
station/supplicant that runs the EAP peer. hostapd is just proxying the
messages between the authentication server and the station in this type
of setup.

> An strace of open and stat system calls for the hostpad process seems to
> show that it does not try to open any file which are SSL-releated.

Which is expected since those operations happen at the stations.

> How can I tell hostapd which CAs to trust when using an external radius
> server?

You don't; you tell the EAP peer on the station that.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list