eap_peap: ERROR: TLS Alert read:fatal:unknown CA

Ibrahim AKSIT ibrahimaksit at gmail.com
Tue Nov 19 21:23:34 CET 2019

Hello there, I had the similar issue today for FR 3.0.20. I set the
following settings in mods-available/eap
By the way my OpenSSL version is 1.1.1d

tls_min_version = "1.2"
tls_max_version = "1.3"

I restarted and everything worked well like a charm.
I hope this will work for you too.

İbrahim AKŞİT

Best Regards and Wishes
Yours Sincerely.

On Tue, Nov 19, 2019 at 11:08 PM Alan DeKok <aland at deployingradius.com>

> On Nov 19, 2019, at 1:45 PM, L. Rose <lists at lrose.de> wrote:,
> >
> >
> > We've recently upgraded one of our freeradius servers to 3.0.17, the
> configuration remains unchanged. Now, whenever a device connects to WiFi,
> the authentication fails with:
> >
> > eap_peap: ERROR: TLS Alert read:fatal:unknown CA
> >
> > Downgrading freeradius to 3.0.16 fixes the issue, as well as disabling
> certificate checking on the client device (but that's obviously not an
> option). I've also tried all later versions including 3.0.20, all of them
> have this problem. Similarly, all versions 3.0.13 - 3.0.16 are working
> successfully.
>   That isn't good.
> > I was able to rule out the specific git commit which introduces this
> problem. #66c66729a51713c8a282b483e3cc76b43a234efa is the last working
> version (checked out and built from source).
> #595b4ddb9571772322ad2546f0faba91aa32daf1 seems to be the first "faulty"
> version.
>   That's just a merge commit.  The actual change is in 8e54822dcaf1.
> Which just sets a flag in OpenSSL.
> > Any ideas how to fix this issue? I would like to attach the complete
> output of freeradius -X, but that contains identifying information that's
> hard to strip. But if you need more information, I'll see what I can do.
> For now, see the output of freeradius -X for the failing connection.
> >
> > Is this a bug? I don't think that the behavior of freeradius should
> change from 3.0.16 to 3.0.17, especially as the commit message for
> #595b4ddb9571772322ad2546f0faba91aa32daf1 only says: "TLS: Allow partial
> certificate chain to trusted CA". That doesn't feel like some functionality
> was removed, does it?
>   It shouldn't change anything.
>   What do your certificate chains look like?  Maybe OpenSSL is getting the
> certificate chains wrong.
>   Try setting "auto_chain = no" in mods-available/eap.  Be aware though
> that this means you will need to order the certificates yourself.  i.e.
> "certificate_file" will have to contain the entire certificate chain, in
> order.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list