unknown CA when trying to authenticate

Alan DeKok aland at deployingradius.com
Mon Feb 22 17:04:55 CET 2021 

On Feb 22, 2021, at 10:46 AM, Tyler Montney <montneytyler at gmail.com> wrote:
> 
> " What is the user system running?  How does it authenticate?"
> 
> Same OS as FreeRadius, running the Unifi Controller. The controller
> authenticates wireless users through RADIUS. RADIUS uses LDAP as its user
> database.

  That really isn't answering my question.

  Do the users have access to the shell on the Unifi controller?  Or are the users trying to gain network access via WiFi?

  If it's the second one, then again... what is the user system running?  How did you configure it?  

> "Where does it get the certificates from?"
> 
> An internal "LetsEncrypt", step-ca.

  That is also not answering my question.  You configured the end-user system to use WiFi.  As part of that process, you either did (or didn't) configure names, EAP type, certificates, etc.

  So... did you do that?  If so, what did you do?

> "The certificate store you edited is used for web authentication, not WiFi."
> 
> Yes, but the EAP module is pointing to that store. I don't see how that's
> related to web authentication.

  In most systems, the default certificate stores are different for Web and for EAP.  You do NOT want to use the same certificate store for both.

> If I set the LDAP module's "require_cert" to
> 'demand' (rather than 'allow'), freeradius will refuse to start with a
> similar error. It fails to connect over LDAPS.

  At this point, it's not at all clear what you're doing, or why.

  You aren't configuring FreeRADIUS using the normal process of putting the certs into raddb/certs.  You aren't following any of the available "how to" guides for configuring FreeRADIUS, or EAP, or WiFi.

  There is existing documentation which tells you how to configure WiFi.  Please follow it.

  And please also understand that *end user* systems are different than the Unifi controller, where you configure FreeRADIUS.  Those end-user systems also need to be configured correctly for EAP / WiFi.  It looks very much like you haven't done that.

  Alan DeKok.

More information about the Freeradius-Users mailing list