TLS Alert read:fatal:unknown CA

Alan Buxey alan.buxey at gmail.com
Sat Aug 19 18:31:13 CEST 2017


Hi

How did you install it on the Windows client? Just double clicked and chose
default options? You need to make sure you import it into the correct
certificate store location  eg local computer/trusted CA location.

alan

On 19 Aug 2017 2:26 am, "Fatih Naufal" <fatih.avila at gmail.com> wrote:

> Hi everyone,
>
> I already success create 802.1x wireless authentication using freeradius
> and ldap, i did a test to every device that i have (iphone and laptop
> running windows 10 can connect to 802.1x wireless) but when i try to
> conenct on laptop running windows 7 there's "TLS Alert read:fatal:unknown
> CA" error. I already re-create the root CA (i did this following
> documentation
> http://deployingradius.com/documents/configuration/certificates.html),
> import it to the client, and ensure every detail of the certificate. Is
> there any bug with windows 7 or something? any kind of help would be
> appreciated. Thankyou (ca.cnf and server.cnf attached)
>
> Radius log :
> (0) Received Access-Request Id 60 from 172.30.254.3:49431 to
> 172.29.164.218:1812 length 267
> (0)   User-Name = "gpler"
> (0)   Chargeable-User-Identity = 0x03
> (0)   Location-Capable = Civix-Location
> (0)   Calling-Station-Id = "6c-71-d9-a9-5e-65"
> (0)   Called-Station-Id = "58-ac-78-ee-8a-20:802.1x"
> (0)   NAS-Port = 1
> (0)   Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759"
> (0)   Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057"
> (0)   NAS-IP-Address = 172.30.xxx.x
> (0)   NAS-Identifier = "IPB-WLC-5520"
> (0)   Airespace-Wlan-Id = 69
> (0)   Service-Type = Framed-User
> (0)   Framed-MTU = 1300
> (0)   NAS-Port-Type = Wireless-802.11
> (0)   Tunnel-Type:0 = VLAN
> (0)   Tunnel-Medium-Type:0 = IEEE-802
> (0)   Tunnel-Private-Group-Id:0 = "255"
> (0)   EAP-Message = 0x0202000a0167706c6572
> (0)   Message-Authenticator = 0x107b01b20e515d3a076209dea9af2966
> (0) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (0)   authorize {
> (0)     policy filter_username {
> (0)       if (&User-Name) {
> (0)       if (&User-Name)  -> TRUE
> (0)       if (&User-Name)  {
> (0)         if (&User-Name =~ /@[^@]*@/ ) {
> (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (0)         if (&User-Name =~ /\.\./ ) {
> (0)         if (&User-Name =~ /\.\./ )  -> FALSE
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
> FALSE
> (0)         if (&User-Name =~ /\.$/)  {
> (0)         if (&User-Name =~ /\.$/)   -> FALSE
> (0)         if (&User-Name =~ /@\./)  {
> (0)         if (&User-Name =~ /@\./)   -> FALSE
> (0)       } # if (&User-Name)  = notfound
> (0)     } # policy filter_username = notfound
> (0)     [preprocess] = ok
> (0)     [chap] = noop
> (0)     [mschap] = noop
> (0)     [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "gpler", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0)     [suffix] = noop
> (0) eap: Peer sent EAP Response (code 2) ID 2 length 10
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (0)     [eap] = ok
> (0)   } # authorize = ok
> (0) Found Auth-Type = eap
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0)   authenticate {
> (0) eap: Peer sent packet with method EAP Identity (1)
> (0) eap: Calling submodule eap_peap to process data
> (0) eap_peap: Initiating new EAP-TLS session
> (0) eap_peap: [eaptls start] = request
> (0) eap: Sending EAP Request (code 1) ID 3 length 6
> (0) eap: EAP session adding &reply:State = 0x68d16d7c68d27498
> (0)     [eap] = handled
> (0)   } # authenticate = handled
> (0) Using Post-Auth-Type Challenge
> (0) Post-Auth-Type sub-section not found.  Ignoring.
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0) Sent Access-Challenge Id 60 from 172.29.164.218:1812 to
> 172.30.xxx.x:49431 length 0
> (0)   EAP-Message = 0x010300061920
> (0)   Message-Authenticator = 0x00000000000000000000000000000000
> (0)   State = 0x68d16d7c68d27498a8bfbed341c368c9
> (0) Finished request
> Waking up in 4.9 seconds.
> (1) Received Access-Request Id 61 from 172.30.254.3:49431 to
> 172.29.164.218:1812 length 380
> (1)   User-Name = "gpler"
> (1)   Chargeable-User-Identity = 0x03
> (1)   Location-Capable = Civix-Location
> (1)   Calling-Station-Id = "6c-71-d9-a9-5e-65"
> (1)   Called-Station-Id = "58-ac-78-ee-8a-20:802.1x"
> (1)   NAS-Port = 1
> (1)   Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759"
> (1)   Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057"
> (1)   NAS-IP-Address = 172.30.xxx.x
> (1)   NAS-Identifier = "IPB-WLC-5520"
> (1)   Airespace-Wlan-Id = 69
> (1)   Service-Type = Framed-User
> (1)   Framed-MTU = 1300
> (1)   NAS-Port-Type = Wireless-802.11
> (1)   Tunnel-Type:0 = VLAN
> (1)   Tunnel-Medium-Type:0 = IEEE-802
> (1)   Tunnel-Private-Group-Id:0 = "255"
> (1)   EAP-Message =
> 0x0203006919800000005f160301005a01000056030159978e892bc0cea1
> 314b3076e48c1432d22b3a1f575d2bd9ef5eadcd1efab780000018002f00
> 350005000ac013c014c009c00a003200380013000401000015ff01000100
> 000a0006000400170018000b00020100
> (1)   State = 0x68d16d7c68d27498a8bfbed341c368c9
> (1)   Message-Authenticator = 0x9e55b07936045ad7e26084813251454b
> (1) session-state: No cached attributes
> (1) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (1)   authorize {
> (1)     policy filter_username {
> (1)       if (&User-Name) {
> (1)       if (&User-Name)  -> TRUE
> (1)       if (&User-Name)  {
> (1)         if (&User-Name =~ /@[^@]*@/ ) {
> (1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (1)         if (&User-Name =~ /\.\./ ) {
> (1)         if (&User-Name =~ /\.\./ )  -> FALSE
> (1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
> FALSE
> (1)         if (&User-Name =~ /\.$/)  {
> (1)         if (&User-Name =~ /\.$/)   -> FALSE
> (1)         if (&User-Name =~ /@\./)  {
> (1)         if (&User-Name =~ /@\./)   -> FALSE
> (1)       } # if (&User-Name)  = notfound
> (1)     } # policy filter_username = notfound
> (1)     [preprocess] = ok
> (1)     [chap] = noop
> (1)     [mschap] = noop
> (1)     [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: No '@' in User-Name = "gpler", looking up realm NULL
> (1) suffix: No such realm "NULL"
> (1)     [suffix] = noop
> (1) eap: Peer sent EAP Response (code 2) ID 3 length 105
> (1) eap: Continuing tunnel setup
> (1)     [eap] = ok
> (1)   } # authorize = ok
> (1) Found Auth-Type = eap
> (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (1)   authenticate {
> (1) eap: Expiring EAP session with state 0x68d16d7c68d27498
> (1) eap: Finished EAP session with state 0x68d16d7c68d27498
> (1) eap: Previous EAP request found for state 0x68d16d7c68d27498, released
> from the list
> (1) eap: Peer sent packet with method EAP PEAP (25)
> (1) eap: Calling submodule eap_peap to process data
> (1) eap_peap: Continuing EAP-TLS
> (1) eap_peap: Peer indicated complete TLS record size will be 95 bytes
> (1) eap_peap: Got complete TLS record (95 bytes)
> (1) eap_peap: [eaptls verify] = length included
> (1) eap_peap: (other): before/accept initialization
> (1) eap_peap: TLS_accept: before/accept initialization
> (1) eap_peap: <<< recv TLS 1.0 Handshake [length 005a], ClientHello
> (1) eap_peap: TLS_accept: unknown state
> (1) eap_peap: >>> send TLS 1.0 Handshake [length 0031], ServerHello
> (1) eap_peap: TLS_accept: unknown state
> (1) eap_peap: >>> send TLS 1.0 Handshake [length 02c0], Certificate
> (1) eap_peap: TLS_accept: unknown state
> (1) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone
> (1) eap_peap: TLS_accept: unknown state
> (1) eap_peap: TLS_accept: unknown state
> (1) eap_peap: TLS_accept: unknown state
> (1) eap_peap: TLS_accept: Need to read more data: unknown state
> (1) eap_peap: TLS_accept: Need to read more data: unknown state
> (1) eap_peap: In SSL Handshake Phase
> (1) eap_peap: In SSL Accept mode
> (1) eap_peap: [eaptls process] = handled
> (1) eap: Sending EAP Request (code 1) ID 4 length 778
> (1) eap: EAP session adding &reply:State = 0x68d16d7c69d57498
> (1)     [eap] = handled
> (1)   } # authenticate = handled
> (1) Using Post-Auth-Type Challenge
> (1) Post-Auth-Type sub-section not found.  Ignoring.
> (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (1) Sent Access-Challenge Id 61 from 172.29.164.218:1812 to
> 172.30.xxx.x:49431 length 0
> (1)   EAP-Message =
> 0x0104030a190016030100310200002d03016e22346727c2b7bfd58d3b5b
> d06acbc17fa96d02f7937abfe946a411c305079800002f000005ff010001
> 0016030102c00b0002bc0002b90002b6308202b23082019aa00302010202
> 0900e889295aaea3149d300d06092a864886f70d01010b05003011310f30
> (1)   Message-Authenticator = 0x00000000000000000000000000000000
> (1)   State = 0x68d16d7c69d57498a8bfbed341c368c9
> (1) Finished request
> Waking up in 4.9 seconds.
> (2) Received Access-Request Id 62 from 172.30.xxx.x:49431 to
> 172.29.164.218:1812 length 292
> (2)   User-Name = "gpler"
> (2)   Chargeable-User-Identity = 0x03
> (2)   Location-Capable = Civix-Location
> (2)   Calling-Station-Id = "6c-71-d9-a9-5e-65"
> (2)   Called-Station-Id = "58-ac-78-ee-8a-20:802.1x"
> (2)   NAS-Port = 1
> (2)   Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759"
> (2)   Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057"
> (2)   NAS-IP-Address = 172.30.xxx.x
> (2)   NAS-Identifier = "IPB-WLC-5520"
> (2)   Airespace-Wlan-Id = 69
> (2)   Service-Type = Framed-User
> (2)   Framed-MTU = 1300
> (2)   NAS-Port-Type = Wireless-802.11
> (2)   Tunnel-Type:0 = VLAN
> (2)   Tunnel-Medium-Type:0 = IEEE-802
> (2)   Tunnel-Private-Group-Id:0 = "255"
> (2)   EAP-Message = 0x0204001119800000000715030100020230
> (2)   State = 0x68d16d7c69d57498a8bfbed341c368c9
> (2)   Message-Authenticator = 0xfd97ab9dc41ef3ae771c43ad2daa9331
> (2) session-state: No cached attributes
> (2) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (2)   authorize {
> (2)     policy filter_username {
> (2)       if (&User-Name) {
> (2)       if (&User-Name)  -> TRUE
> (2)       if (&User-Name)  {
> (2)         if (&User-Name =~ /@[^@]*@/ ) {
> (2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (2)         if (&User-Name =~ /\.\./ ) {
> (2)         if (&User-Name =~ /\.\./ )  -> FALSE
> (2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
> FALSE
> (2)         if (&User-Name =~ /\.$/)  {
> (2)         if (&User-Name =~ /\.$/)   -> FALSE
> (2)         if (&User-Name =~ /@\./)  {
> (2)         if (&User-Name =~ /@\./)   -> FALSE
> (2)       } # if (&User-Name)  = notfound
> (2)     } # policy filter_username = notfound
> (2)     [preprocess] = ok
> (2)     [chap] = noop
> (2)     [mschap] = noop
> (2)     [digest] = noop
> (2) suffix: Checking for suffix after "@"
> (2) suffix: No '@' in User-Name = "gpler", looking up realm NULL
> (2) suffix: No such realm "NULL"
> (2)     [suffix] = noop
> (2) eap: Peer sent EAP Response (code 2) ID 4 length 17
> (2) eap: Continuing tunnel setup
> (2)     [eap] = ok
> (2)   } # authorize = ok
> (2) Found Auth-Type = eap
> (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (2)   authenticate {
> (2) eap: Expiring EAP session with state 0x68d16d7c69d57498
> (2) eap: Finished EAP session with state 0x68d16d7c69d57498
> (2) eap: Previous EAP request found for state 0x68d16d7c69d57498, released
> from the list
> (2) eap: Peer sent packet with method EAP PEAP (25)
> (2) eap: Calling submodule eap_peap to process data
> (2) eap_peap: Continuing EAP-TLS
> (2) eap_peap: Peer indicated complete TLS record size will be 7 bytes
> (2) eap_peap: Got complete TLS record (7 bytes)
> (2) eap_peap: [eaptls verify] = length included
> (2) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca
> *(2) eap_peap: ERROR: TLS Alert read:fatal:unknown CA*
> *(2) eap_peap: ERROR: TLS_accept: Failed in unknown state*
> *(2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)*
> *(2) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1
> alert unknown ca*
> *(2) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl
> handshake failure*
> *(2) eap_peap: ERROR: System call (I/O) error (-1)*
> *(2) eap_peap: ERROR: TLS receive handshake failed during operation*
> *(2) eap_peap: ERROR: [eaptls process] = fail*
> *(2) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module
> failed*
> (2) eap: Sending EAP Failure (code 4) ID 4 length 4
> (2) eap: Failed in EAP select
> (2)     [eap] = invalid
> (2)   } # authenticate = invalid
> (2) Failed to authenticate the user
> (2) Using Post-Auth-Type Reject
> (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (2)   Post-Auth-Type REJECT {
> (2) attr_filter.access_reject: EXPAND %{User-Name}
> (2) attr_filter.access_reject:    --> gpler
> (2) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (2)     [attr_filter.access_reject] = updated
> (2)     [eap] = noop
> (2)     policy remove_reply_message_if_eap {
> (2)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (2)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (2)       else {
> (2)         [noop] = noop
> (2)       } # else = noop
> (2)     } # policy remove_reply_message_if_eap = noop
> (2)   } # Post-Auth-Type REJECT = updated
> (2) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (2) Sending delayed response
> (2) Sent Access-Reject Id 62 from 172.29.164.218:1812 to
> 172.30.xxx.x:49431
> length 44
> (2)   EAP-Message = 0x04040004
> (2)   Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 3.9 seconds.
> (0) Cleaning up request packet ID 60 with timestamp +628
> (1) Cleaning up request packet ID 61 with timestamp +628
> (2) Cleaning up request packet ID 62 with timestamp +628
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>


More information about the Freeradius-Users mailing list