Certificate request for supplicant

Bryan Kadzban bryan at kadzban.is-a-geek.net
Mon Sep 25 20:15:59 EDT 2006

Atif Ikram wrote:
> We do not know what type of RADIUS server is installed on our
> client's network.  All we know is that it is setup with EAP-TLS as
> default authentication method.

EAP-TLS requires a trusted CA certificate (or possibly a set of them) to
be configured on the RADIUS server.  The client will need a certificate
signed by that trusted CA (or one that chains to it).

When your client set up their RADIUS server, they chose which CA cert
(or possibly which set) they were going to use to generate their client
certs, and they configured their RADIUS server to use that CA cert as
the required root.

> Now I am thinking we need to contact Verisign or Entrust

You should not need to do that, and in fact if you do, it may not work.
(Because Verisign and/or Entrust are probably not trusted by the RADIUS
server.  They are trusted by most web browsers, but that's an entirely
different setup.)

Just contact your client and ask them for a cert to use that's valid for
their RADIUS server.  They should be able to generate one.  They may
want you to provide a CSR, though, so they're sure that only you know
the certificate's private key.  OpenSSL can generate CSRs, using the
"req" subcommand.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20060925/452967ad/attachment.pgp 

More information about the HostAP mailing list