On Oct 10, 2016, at 12:30 PM, Ryan <directionless@gmail.com> wrote:
I'm running freeRADIUS v3.0.8. My first goal is just to get all our Cisco phones authorized. I want freeRADIUS to accept all phones based on the certificate presented by the supplicant. The phones should present Cisco's manufacturer-installed-certificate, and Cisco provides the CA certs for download, which I have done. I put the Cisco CA certs into /etc/freeradius/certs, changed eap config to use ca_path instead of ca_file, but I still get this: ... (4) eap_tls: >>> TLS 1.2 [length 0002] (4) eap_tls: ERROR: TLS Alert write:fatal:unknown CA tls: TLS_accept: Error in error
That's the phone saying it doesn't know about the CA.
I'm a total noob at PKI and I can't figure out what I'm doing wrong. Is this even possible to do?
The server also has to present a certificate to the phone. And the servers certificate has to be signed by a CA. If Cisco isn't going to sign the server cert (and they won't), then you'll need to get your CA onto the phone somehow. Alan DeKok.