eap_peap: ERROR: TLS Alert read:fatal:unknown CA
ibrahimaksit at gmail.com
Tue Nov 19 21:23:34 CET 2019
Hello there, I had the similar issue today for FR 3.0.20. I set the
following settings in mods-available/eap
By the way my OpenSSL version is 1.1.1d
tls_min_version = "1.2"
tls_max_version = "1.3"
I restarted and everything worked well like a charm.
I hope this will work for you too.
Best Regards and Wishes
On Tue, Nov 19, 2019 at 11:08 PM Alan DeKok <aland at deployingradius.com>
> On Nov 19, 2019, at 1:45 PM, L. Rose <lists at lrose.de> wrote:,
> > We've recently upgraded one of our freeradius servers to 3.0.17, the
> configuration remains unchanged. Now, whenever a device connects to WiFi,
> the authentication fails with:
> > eap_peap: ERROR: TLS Alert read:fatal:unknown CA
> > Downgrading freeradius to 3.0.16 fixes the issue, as well as disabling
> certificate checking on the client device (but that's obviously not an
> option). I've also tried all later versions including 3.0.20, all of them
> have this problem. Similarly, all versions 3.0.13 - 3.0.16 are working
> That isn't good.
> > I was able to rule out the specific git commit which introduces this
> problem. #66c66729a51713c8a282b483e3cc76b43a234efa is the last working
> version (checked out and built from source).
> #595b4ddb9571772322ad2546f0faba91aa32daf1 seems to be the first "faulty"
> That's just a merge commit. The actual change is in 8e54822dcaf1.
> Which just sets a flag in OpenSSL.
> > Any ideas how to fix this issue? I would like to attach the complete
> output of freeradius -X, but that contains identifying information that's
> hard to strip. But if you need more information, I'll see what I can do.
> For now, see the output of freeradius -X for the failing connection.
> > Is this a bug? I don't think that the behavior of freeradius should
> change from 3.0.16 to 3.0.17, especially as the commit message for
> #595b4ddb9571772322ad2546f0faba91aa32daf1 only says: "TLS: Allow partial
> certificate chain to trusted CA". That doesn't feel like some functionality
> was removed, does it?
> It shouldn't change anything.
> What do your certificate chains look like? Maybe OpenSSL is getting the
> certificate chains wrong.
> Try setting "auto_chain = no" in mods-available/eap. Be aware though
> that this means you will need to order the certificates yourself. i.e.
> "certificate_file" will have to contain the entire certificate chain, in
> Alan DeKok.
> List info/subscribe/unsubscribe? See
More information about the Freeradius-Users