Hello, I'm running freeRADIUS v3.0.8. My first goal is just to get all our Cisco phones authorized. I want freeRADIUS to accept all phones based on the certificate presented by the supplicant. The phones should present Cisco's manufacturer-installed-certificate, and Cisco provides the CA certs for download, which I have done. I put the Cisco CA certs into /etc/freeradius/certs, changed eap config to use ca_path instead of ca_file, but I still get this: ------------------------- (4) eap: Peer s0ent method TLS (13) (4) eap: EAP TLS (13) (4) eap: Calling eap_tls to process EAP data (4) eap_tls: Authenticate (4) eap_tls: processing EAP-TLS (4) eap_tls: TLS Length 1235 (4) eap_tls: Length Included (4) eap_tls: eaptls_verify returned 11 (4) eap_tls: <<< Unknown TLS version [length 0005] (4) eap_tls: <<< TLS 1.2 [length 0343] (4) eap_tls: TLS Verify creating certificate attributes (4) eap_tls: TLS-Client-Cert-Serial := '06' (4) eap_tls: TLS-Client-Cert-Expiration := '211008171647Z' (4) eap_tls: TLS-Client-Cert-Subject := '/serialNumber=PID:CP-8841 SN:FCH20098MSK/C=US/O=Texana Center/OU=Building E/CN=CP-8841-SEP00CCFC4A9AD3' (4) eap_tls: TLS-Client-Cert-Issuer := '/C=US/O=Texana Center/OU=Building E/CN=CAPF-38b5f828/ST=Texas/L=4910 Airport Ave.' (4) eap_tls: TLS-Client-Cert-Common-Name := 'CP-8841-SEP00CCFC4A9AD3' (4) eap_tls: ERROR: SSL says error 20 : unable to get local issuer certificate (4) eap_tls: >>> Unknown TLS version [length 0005] (4) eap_tls: >>> TLS 1.2 [length 0002] (4) eap_tls: ERROR: TLS Alert write:fatal:unknown CA tls: TLS_accept: Error in error (4) eap_tls: ERROR: SSL says: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation (4) eap_tls: eaptls_process returned 4 (4) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (4) eap: Failed in EAP select (4) [eap] = invalid (4) } # authenticate = invalid (4) Failed to authenticate the user (4) Using Post-Auth-Type Reject -------------------------------- I'm a total noob at PKI and I can't figure out what I'm doing wrong. Is this even possible to do? -Ryan