XP won't authenticate with EAP TLS - log shows unknown_ca fatal error

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Sun Aug 7 15:47:57 CEST 2005


> I chose to start with this article as it was one of the most recent  
> tutorials I could find on the topic of FreeRADIUS and EAP TLS.

strange. the EAP-TLS HOWTO seems uite straight forward. everything
else is a rewrite of this guide.

> if you like.  You may be tempted to press Enter instead, especially  
> given that the WPA supplicant in Windows XP works only when you store  
> its certificates without a passphrases..."  I've tried generate the  

interesting. we've used pass phrases...stops people just copying the
certificate onto any unknown machine.

> client p12 file both ways and reimporting to XP's Personal  
> Certificates to no avail. Is that pkcs12 passphrase assertion still  
> true for XP supplicant?  Either way, with or without, I can't get  
> this to work, so that must not be the issue.

did you use the extra XP SSL additions as per the EAP-TLS HOWTO?

> I have also tried un-checking the "Validate Server Certificate" in  
> the 802.1x settings of XP for that Access Point.  I get the same  
> error, so the error seems to indicate an issue with not being able to  
> deal with the client side cert?
> I've imported both the cacert.pem into my Trusted Root Certs in XP  
> and the client_cert.p12 into "Personal->Certificates".   There were  
> no steps indicated I needed to import server cert  on the XP side  
> (which doesn't make sense anyway...just noting here that for  
> diagnostic purposes.)
> Any help towards solving this issue would be very much appreciated.
> Now for the debug log:
> TLS Alert write:fatal:unknown CA
>     TLS_accept:error in SSLv3 read client certificate B

though this seems to suggest that your FreeRADIUS doesnt know
much about this certificate. I'd check the eap.conf file


More information about the Freeradius-Users mailing list