xia sihua wrote: ... > CA_file = ${cadir}/ca.pem > .... > > The supplicant I use TeraDot1x Tester from Spirent communication. > ... > Configuration: ... > Root Certificate Filename: server.pem
I think that should be "ca.pem". > rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca > TLS Alert read:fatal:unknown CA Yes, the client is telling you that it doesn't know anything about ca.pem. > If I change Root Certificate Filename from server.pem to ca.pem, will > come out following error. > .... > eaptls_verify returned 11 > rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate > TLS Alert read:fatal:bad certificate Ask the supplicant vendor why they don't like the certificate we provide. > If I use those certificates provided by spirent, can pass. I donot know why? > Any ideas? Print out the spirent certificates, and post the result here. Maybe there's some extra magic needed. $ openssl x509 -text -in spirent.crt Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html