more EAP/TTLS trouble

Alan DeKok aland at deployingradius.com
Wed May 23 17:16:40 CEST 2012


Steve Hopps wrote:
> I've got authentication with Android and Linux clients working using
> EAP/TTLS and PAP, however Windows and OSX clients dont seem to work.
> This is a log of a Windows 7 client. I was able to get iphones working
> with a special config, but the same method doesn't seem to work for
> OSX. Any help you could offer is appreciated

  This is pretty definitive:

> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
> TLS Alert read:fatal:unknown CA
>     TLS_accept: failed in SSLv3 read client certificate A
> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
> alert unknown ca
> SSL: SSL_read failed inside of TLS (-1), TLS session fails.

  IIRC, it means that the client doesn't have the same CA as the server.
 So it gets the server's certificate, and goes "huh?".  It then sends an
"unknown CA" back to the server.

  The solution is to add the CA to the client PC.

  Alan DeKok.


More information about the Freeradius-Users mailing list