Hi everyone, I got a testenvironment up and running for testing RADIUS authentication on a windows embedded CE 6.0 mobile client. I got it all working using "only" MSCHAPv2, user/pw authentication. But as soon as I want to validate my server certificate, I get errors concerning the certificate chain. It tells me, that my certificate is not signed by a trusted CA. And that's true, but I created a self signed CA certificate plus a chain derived from it. I admit that my thinking is somewhat narrow here, but shouldn't I be able to create a certificate chain to match my needs using 3rd party tools? The installation and configuration of a complete CA PKI infrastructure just blows this test project out of proportion. Does anybody have some clues, or even a guide for creating a certificate chain to be used by my NPS? Thanks in advance. Lenniey

Hi, I got another problem, different than the last one, which I could resolve by installing a complete PKI infrastructure in my testing environment. But now I want to use EAP-TLS with my shiny new certificates, and what happens? Nothing works. I don't have a clue what I should do. I try to establish a EAP-TLS connection, but my cisco AP541N logs this: Oct 18 15:42:58 info hostapd wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: Supplicant used different EAP type: 3 (Nak) Oct 18 15:42:58 warn hostapd wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: authentication failed - identity 'XXXXXX' EAP type: 13 (TLS) Oct 18 15:42:58 info hostapd The wireless client with MAC address 00:17:23:xx:xx:xx had an authentication failure. NPS logs this: Name der Verbindungsanforderungsrichtlinie: Sichere Drahtlosverbindungen 2 Netzwerkrichtlinienname: XXXXXX Authentifizierungsanbieter: Windows Authentifizierungsserver: XXXXX Authentifizierungstyp: EAP EAP-Typ: - Kontositzungs-ID: - Protokollierungsergebnisse: Die Kontoinformationen wurden in die lokale Protokolldatei geschrieben. Ursachencode: 22 Ursache: Der Client konnte nicht authentifiziert werden, da der angegebene EAP (Extensible Authentication-Protokoll)-Typ vom Server nicht verarbeitet werden kann. I'm sorry it's german, but the gist is: The server can't process the authentication with the specified EAP type, which should be EAP-TLS. I think the NAK answer in my cisco AP logs is the problem. Well, not the problem, since it is the standard procedure in the EAP request / challenge, I think, but somebody messes up with it. Did anybody encounter something like this before? Or just knows what to do? Thanks in advance Lenniey