Freeradius - eapol testing failure

Alan DeKok aland at
Mon Apr 15 01:34:40 CEST 2019

On Apr 14, 2019, at 7:18 PM, rbbhill at wrote:
> Hi all, thanks for your help in advance. I have spent the last week trying
> to solve this issue, I have read and read all information I can find. I have
> set up a raspberry pi 3, with freeradius 3.0 and openssl. For the freeradius
> I have followed the guides by each detail in full, the only exception is
> replacing etc/raddb with etc/freeradius/3.0. The freeradius server is set up
> and running and I have completed testing with local host using radtest and
> eapol. Test results:


> Localhost = Ok, passes - used radtest bob hello localhost 0 testing123
> EAP (using EAPOL)
> PEAPv0_EAP-MSCHAPv2 = Ok, Passes
> EAP-TTLS_EAP-MSCHAPv2 = Ok, Passes

  That's good.

> Good so far, next I edit EAPOL test scripts to uncomment so as to use the
> test certs for testing. The only thing I changed here was
> /etc/raddb/certs/ca.der to /etc/freeradius/3.0/certs/ca.der so as to point
> test utility to the correct directory. 


> EAP (using EAPOL with cert check uncommented)
> PEAPv0_EAP-MSCHAPv2 = Fails, TLS Alert read:fatal:unknown CA
> EAP-TTLS_EAP-MSCHAPv2 = Fails, TLS Alert read:fatal:unknown CA

  That means you haven't told eapol_test what the CA cert is.

  The eapol_test configuration file *should* point to the correct CA file.  If that's done, then the "unknown CA" error should go away.

> I followed deployingradius, and used make to build certs, they are all
> populated in the directory, but tests repeatedly fail. This same error comes
> up repeatedly across peap and ttls using cert:
> Sun Apr 14 16:56:49 2019 : ERROR: (9) eap_ttls: TLS Alert read:fatal:unknown
> CA
> Sun Apr 14 16:56:49 2019 : Debug: (9) eap_ttls: TLS_accept: Need to read
> more data: SSLv3/TLS write server done
> Sun Apr 14 16:56:49 2019 : ERROR: (9) eap_ttls: Failed in __FUNCTION__
> (SSL_read): ../ssl/record/rec_layer_s3.c[1407]:error:14094418:SSL
> routines:ssl3_read_bytes:tlsv1 alert unknown ca

  That's eapol_test telling FreeRADIUS that eapol_test doesn't like the CA cert being presented by FreeRADIUS.

  If this authentication isn't with eapol_test, then the same comment applies.  Configure the supplicant to know about the CA cert used by FreeRADIUS.

> Sun Apr 14 16:56:49 2019 : ERROR: (9) eap_ttls: System call (I/O) error (-1)
> Sun Apr 14 16:56:49 2019 : ERROR: (9) eap_ttls: TLS receive handshake failed
> during operation
> Sun Apr 14 16:56:49 2019 : ERROR: (9) eap_ttls: [eaptls process] = fail
> Sun Apr 14 16:56:49 2019 : ERROR: (9) eap: Failed continuing EAP TTLS (21)
> session.  EAP sub-module failed
> I am very new to radius, and I am trying to setup the server to test with
> some headless devices, and they need to be able to support PEAP, TLS, and
> TTLS with certs. I went as far as setting a completely identical server on
> another Pi and tried with production certificates, with same error. The only
> thing I notice different is that when I access the network with my iphone,
> the public cert it sends my iphone is completely different than any of the
> certs in /etc/freeradius/3.0/certs/. 

  Then the server isn't using /etc/freeradius/3.0/certs/, is it?

  READ the debug output.  ALL OF IT.  It will print out what files it's reading, including which certificates it's reading.  Those are the certificates you need to use.

> Verbose log:
> Sun Apr 14 16:55:58 2019 : Info: Ready to process requests

  PLEASE read the documentation on what to post to the list.  When you join the list, you get an email message telling to read the documentation.  It includes a URL.  PLEASE read it.

  Alan DeKok.

More information about the Freeradius-Users mailing list