Hi How did you install it on the Windows client? Just double clicked and chose default options? You need to make sure you import it into the correct certificate store location eg local computer/trusted CA location. alan On 19 Aug 2017 2:26 am, "Fatih Naufal" <fatih.avila@gmail.com> wrote:
Hi everyone,
I already success create 802.1x wireless authentication using freeradius and ldap, i did a test to every device that i have (iphone and laptop running windows 10 can connect to 802.1x wireless) but when i try to conenct on laptop running windows 7 there's "TLS Alert read:fatal:unknown CA" error. I already re-create the root CA (i did this following documentation http://deployingradius.com/documents/configuration/certificates.html), import it to the client, and ensure every detail of the certificate. Is there any bug with windows 7 or something? any kind of help would be appreciated. Thankyou (ca.cnf and server.cnf attached)
Radius log : (0) Received Access-Request Id 60 from 172.30.254.3:49431 to 172.29.164.218:1812 length 267 (0) User-Name = "gpler" (0) Chargeable-User-Identity = 0x03 (0) Location-Capable = Civix-Location (0) Calling-Station-Id = "6c-71-d9-a9-5e-65" (0) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x" (0) NAS-Port = 1 (0) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759" (0) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057" (0) NAS-IP-Address = 172.30.xxx.x (0) NAS-Identifier = "IPB-WLC-5520" (0) Airespace-Wlan-Id = 69 (0) Service-Type = Framed-User (0) Framed-MTU = 1300 (0) NAS-Port-Type = Wireless-802.11 (0) Tunnel-Type:0 = VLAN (0) Tunnel-Medium-Type:0 = IEEE-802 (0) Tunnel-Private-Group-Id:0 = "255" (0) EAP-Message = 0x0202000a0167706c6572 (0) Message-Authenticator = 0x107b01b20e515d3a076209dea9af2966 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "gpler", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 2 length 10 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: Initiating new EAP-TLS session (0) eap_peap: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 3 length 6 (0) eap: EAP session adding &reply:State = 0x68d16d7c68d27498 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Sent Access-Challenge Id 60 from 172.29.164.218:1812 to 172.30.xxx.x:49431 length 0 (0) EAP-Message = 0x010300061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x68d16d7c68d27498a8bfbed341c368c9 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 61 from 172.30.254.3:49431 to 172.29.164.218:1812 length 380 (1) User-Name = "gpler" (1) Chargeable-User-Identity = 0x03 (1) Location-Capable = Civix-Location (1) Calling-Station-Id = "6c-71-d9-a9-5e-65" (1) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x" (1) NAS-Port = 1 (1) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759" (1) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057" (1) NAS-IP-Address = 172.30.xxx.x (1) NAS-Identifier = "IPB-WLC-5520" (1) Airespace-Wlan-Id = 69 (1) Service-Type = Framed-User (1) Framed-MTU = 1300 (1) NAS-Port-Type = Wireless-802.11 (1) Tunnel-Type:0 = VLAN (1) Tunnel-Medium-Type:0 = IEEE-802 (1) Tunnel-Private-Group-Id:0 = "255" (1) EAP-Message = 0x0203006919800000005f160301005a01000056030159978e892bc0cea1 314b3076e48c1432d22b3a1f575d2bd9ef5eadcd1efab780000018002f00 350005000ac013c014c009c00a003200380013000401000015ff01000100 000a0006000400170018000b00020100 (1) State = 0x68d16d7c68d27498a8bfbed341c368c9 (1) Message-Authenticator = 0x9e55b07936045ad7e26084813251454b (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "gpler", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 3 length 105 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x68d16d7c68d27498 (1) eap: Finished EAP session with state 0x68d16d7c68d27498 (1) eap: Previous EAP request found for state 0x68d16d7c68d27498, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Continuing EAP-TLS (1) eap_peap: Peer indicated complete TLS record size will be 95 bytes (1) eap_peap: Got complete TLS record (95 bytes) (1) eap_peap: [eaptls verify] = length included (1) eap_peap: (other): before/accept initialization (1) eap_peap: TLS_accept: before/accept initialization (1) eap_peap: <<< recv TLS 1.0 Handshake [length 005a], ClientHello (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.0 Handshake [length 0031], ServerHello (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.0 Handshake [length 02c0], Certificate (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: Need to read more data: unknown state (1) eap_peap: TLS_accept: Need to read more data: unknown state (1) eap_peap: In SSL Handshake Phase (1) eap_peap: In SSL Accept mode (1) eap_peap: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 4 length 778 (1) eap: EAP session adding &reply:State = 0x68d16d7c69d57498 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Sent Access-Challenge Id 61 from 172.29.164.218:1812 to 172.30.xxx.x:49431 length 0 (1) EAP-Message = 0x0104030a190016030100310200002d03016e22346727c2b7bfd58d3b5b d06acbc17fa96d02f7937abfe946a411c305079800002f000005ff010001 0016030102c00b0002bc0002b90002b6308202b23082019aa00302010202 0900e889295aaea3149d300d06092a864886f70d01010b05003011310f30 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x68d16d7c69d57498a8bfbed341c368c9 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 62 from 172.30.xxx.x:49431 to 172.29.164.218:1812 length 292 (2) User-Name = "gpler" (2) Chargeable-User-Identity = 0x03 (2) Location-Capable = Civix-Location (2) Calling-Station-Id = "6c-71-d9-a9-5e-65" (2) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x" (2) NAS-Port = 1 (2) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759" (2) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057" (2) NAS-IP-Address = 172.30.xxx.x (2) NAS-Identifier = "IPB-WLC-5520" (2) Airespace-Wlan-Id = 69 (2) Service-Type = Framed-User (2) Framed-MTU = 1300 (2) NAS-Port-Type = Wireless-802.11 (2) Tunnel-Type:0 = VLAN (2) Tunnel-Medium-Type:0 = IEEE-802 (2) Tunnel-Private-Group-Id:0 = "255" (2) EAP-Message = 0x0204001119800000000715030100020230 (2) State = 0x68d16d7c69d57498a8bfbed341c368c9 (2) Message-Authenticator = 0xfd97ab9dc41ef3ae771c43ad2daa9331 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "gpler", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 4 length 17 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x68d16d7c69d57498 (2) eap: Finished EAP session with state 0x68d16d7c69d57498 (2) eap: Previous EAP request found for state 0x68d16d7c69d57498, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 7 bytes (2) eap_peap: Got complete TLS record (7 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca *(2) eap_peap: ERROR: TLS Alert read:fatal:unknown CA* *(2) eap_peap: ERROR: TLS_accept: Failed in unknown state* *(2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)* *(2) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca* *(2) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure* *(2) eap_peap: ERROR: System call (I/O) error (-1)* *(2) eap_peap: ERROR: TLS receive handshake failed during operation* *(2) eap_peap: ERROR: [eaptls process] = fail* *(2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed* (2) eap: Sending EAP Failure (code 4) ID 4 length 4 (2) eap: Failed in EAP select (2) [eap] = invalid (2) } # authenticate = invalid (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Post-Auth-Type REJECT { (2) attr_filter.access_reject: EXPAND %{User-Name} (2) attr_filter.access_reject: --> gpler (2) attr_filter.access_reject: Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) [eap] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # Post-Auth-Type REJECT = updated (2) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (2) Sending delayed response (2) Sent Access-Reject Id 62 from 172.29.164.218:1812 to 172.30.xxx.x:49431 length 44 (2) EAP-Message = 0x04040004 (2) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 60 with timestamp +628 (1) Cleaning up request packet ID 61 with timestamp +628 (2) Cleaning up request packet ID 62 with timestamp +628
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html