Fw: EAP-TLS problem
bryan at kadzban.is-a-geek.net
Tue Jun 12 18:39:15 EDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
shantanu choudhary wrote:
> i am using cerificates generated from the server itself and they are
> self signed.
Then they will have to be trusted by wpa_supplicant.
> with windows using same set of certificates i am able to get
> connected to AP.
I suspect that's because Windows is set up so it doesn't require a valid
cert from the server. But it doesn't really matter.
If your RADIUS server is using a self-signed cert, then that self-signed
cert needs to be named in this option, not root.pem. The ca_cert option
controls which certs the supplicant will accept from the RADIUS server:
the RADIUS server has to use a cert that's signed by the cert in the
ca_cert file. (This is for client-side security, so the client doesn't
associate with a network served by an untrusted RADIUS server.)
I am assuming that root.pem is the CA that signed the client cert you're
using (shan.pem), right? I don't think the client cert's signer needs
to be listed in the ca_cert option; I think the only thing controlled by
that option is which server certs are valid.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the HostAP