>You have to install the ca certificate and the client certificate on the >client-computer, why should client cert by signed from the server cert?
Because the idea is to authenticate those users to *that* server, not to *every* server that got the certificate from that CA. With your approach the user would be admitted to some other network if their server was issued a certificate by the same CA. If you are using commercial certificates there might be thousands of servers with certificates issued by the same CA. And the user will be able to get onto all of them (if they use EAP-TLS). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
