eap_peap: ERROR: TLS Alert read:fatal:unknown CA

L. Rose lists at lrose.de
Tue Nov 19 19:45:55 CET 2019

Hello everyone,

We've recently upgraded one of our freeradius servers to 3.0.17, the 
configuration remains unchanged. Now, whenever a device connects to 
WiFi, the authentication fails with:

eap_peap: ERROR: TLS Alert read:fatal:unknown CA

Downgrading freeradius to 3.0.16 fixes the issue, as well as disabling 
certificate checking on the client device (but that's obviously not an 
option). I've also tried all later versions including 3.0.20, all of 
them have this problem. Similarly, all versions 3.0.13 - 3.0.16 are 
working successfully.

I was able to rule out the specific git commit which introduces this 
problem. #66c66729a51713c8a282b483e3cc76b43a234efa is the last working 
version (checked out and built from source). 
#595b4ddb9571772322ad2546f0faba91aa32daf1 seems to be the first "faulty" 

Any ideas how to fix this issue? I would like to attach the complete 
output of freeradius -X, but that contains identifying information 
that's hard to strip. But if you need more information, I'll see what I 
can do. For now, see the output of freeradius -X for the failing connection.

Is this a bug? I don't think that the behavior of freeradius should 
change from 3.0.16 to 3.0.17, especially as the commit message for 
#595b4ddb9571772322ad2546f0faba91aa32daf1 only says: "TLS: Allow partial 
certificate chain to trusted CA". That doesn't feel like some 
functionality was removed, does it?

Thanks in advance,
L. Rose

More information about the Freeradius-Users mailing list