XP won't authenticate with EAP TLS - log shows unknown_ca fatal error

Michael Wang mwang25 at gmail.com
Sat Aug 6 00:30:29 CEST 2005

Hi Landon,

I think this piece from the log is suspicious:

> rlm_eap_tls:  Length Included
>  eaptls_verify returned 11
>  rlm_eap_tls: <<< TLS 1.0 Handshake [length 02ab], Certificate
> --> verify error:num=18:self signed certificate
> chain-depth=0,
> error=18
> --> User-Name = 360VL
> --> BUF-Name = 360VL
> --> subject = /C=US/ST=Colorado/L=Colorado Springs/O=360VL
> Incorporated/CN=360VL/emailAddress=emailwithheld
> --> issuer  = /C=US/ST=Colorado/L=Colorado Springs/O=360VL
> Incorporated/CN=360VL/emailAddress=emailwithheld
> --> verify return:0
>  rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
> TLS Alert write:fatal:unknown CA
>   TLS_accept:error in SSLv3 read client certificate B
> rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.

I think the problem is the user certificate that you imported into XP
is "self-signed".  What you need to do is use openssl to create a
certificate request (using openssl req ...) and then sign that request
using the CA (using openssl ca).  Then package up the user key and
signed user cert into the pkcs#12 envelope (using openssl pkcs12). 
Finally import into XP.  I looked at the instructions for certificate
generation in the linux format article and they look OK.  Make sure
you did not miss a step or use the wrong command somewhere.

As to using a password for the pkcs#12 envelope, go ahead and use it. 
When you import the pkcs#12 file into XP, it will just ask for it, and
you enter it, and that should be it.

Hope that helps.


More information about the Freeradius-Users mailing list