Troubleshooting EAP-TLS with External Certificates

Matthew West matthew.t.west at gmail.com
Fri Aug 5 18:30:05 CEST 2016


Hi Alan,

Thank you for your response.  I appreciate all the work you put into
this project and your reply.

>   That's the root cause of the problem.  You have a CA on the server, but haven't put the CA cert on the supplicant.  > You MUST do that in order to get EAP-TLS to work.

>  See http://deployingradius.com/ for detailed instructions.

I've used your site, solely, as a resource to set up FreeRADIUS.  I've
also used the wiki, but your site seems to work best.  Thank you for
helping me interpret the output.  I'll post back with my results.

Much appreciated,

Matthew

On Fri, Aug 5, 2016 at 5:33 AM, Alan DeKok <aland at deployingradius.com> wrote:
> On Aug 4, 2016, at 11:12 PM, Matthew West <matthew.t.west at gmail.com> wrote:
>>
>> Follow up to last e-mail.  Needed to use a different cert chain and
>> have uploaded that to the server.  Tried to authorize again and got a
>> similar error, below.  It appears the output means that the handshake
>> failed due to a self-signed certificate in the chain.
>
>   No.  Please read *all* of the messages.
>
>> Thank you,
>>
>> Matthew
>>
>> [tls] Done initial handshake
>> [tls] <<< TLS 1.0 Handshake [length 11fa], Certificate
>> --> verify error:num=19:self signed certificate in certificate chain
>> [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
>> TLS Alert write:fatal:unknown CA
>
>   That's the root cause of the problem.  You have a CA on the server, but haven't put the CA cert on the supplicant.  You MUST do that in order to get EAP-TLS to work.
>
>   See http://deployingradius.com/ for detailed instructions.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list