I hate to resurrect this long thread from July 22-28, but I have the same problem and never saw a resolution.
I'm using FreeRadius 2.0.5 on CentOS 5.2 with wpa_supplicant 0.6.4 (latest to date). I'm using the bootstrap script to generate example certificates. I also created a client certificate using make client.pem. I configured wpa_supplicant with ca.pem, client.pem and client.key. EAP-TLS authentication fails with the "fatal unknown ca" message. If I hack the Makefile like Sergio mentioned last month to sign the client certificate with the CA key, then authentication succeeds. In last month's thread, Alan DeKok posted: > You need to follow the documentation in eap.conf. > > # If CA_file (below) is not used, then the > # certificate_file below MUST include not > # only the server certificate, but ALSO all > # of the CA certificates used to sign the > # server certificate. > certificate_file = ${certdir}/server.pem > > Have you done that? In my case, CA_file does indeed refer to ca.pem as created by the bootstrap script. So I'm assuming that I don't need to touch the server.pem file as created. I'd really like to understand what's wrong. Could wpa_supplicant be somehow incompatible with the bootstrap certificate chain? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html