Hi everyone, I already success create 802.1x wireless authentication using freeradius and ldap, i did a test to every device that i have (iphone and laptop running windows 10 can connect to 802.1x wireless) but when i try to conenct on laptop running windows 7 there's "TLS Alert read:fatal:unknown CA" error. I already re-create the root CA (i did this following documentation http://deployingradius.com/documents/configuration/certificates.html), import it to the client, and ensure every detail of the certificate. Is there any bug with windows 7 or something? any kind of help would be appreciated. Thankyou (ca.cnf and server.cnf attached) Radius log : (0) Received Access-Request Id 60 from 172.30.254.3:49431 to 172.29.164.218:1812 length 267 (0) User-Name = "gpler" (0) Chargeable-User-Identity = 0x03 (0) Location-Capable = Civix-Location (0) Calling-Station-Id = "6c-71-d9-a9-5e-65" (0) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x" (0) NAS-Port = 1 (0) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759" (0) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057" (0) NAS-IP-Address = 172.30.xxx.x (0) NAS-Identifier = "IPB-WLC-5520" (0) Airespace-Wlan-Id = 69 (0) Service-Type = Framed-User (0) Framed-MTU = 1300 (0) NAS-Port-Type = Wireless-802.11 (0) Tunnel-Type:0 = VLAN (0) Tunnel-Medium-Type:0 = IEEE-802 (0) Tunnel-Private-Group-Id:0 = "255" (0) EAP-Message = 0x0202000a0167706c6572 (0) Message-Authenticator = 0x107b01b20e515d3a076209dea9af2966 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "gpler", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 2 length 10 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: Initiating new EAP-TLS session (0) eap_peap: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 3 length 6 (0) eap: EAP session adding &reply:State = 0x68d16d7c68d27498 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Sent Access-Challenge Id 60 from 172.29.164.218:1812 to 172.30.xxx.x:49431 length 0 (0) EAP-Message = 0x010300061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x68d16d7c68d27498a8bfbed341c368c9 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 61 from 172.30.254.3:49431 to 172.29.164.218:1812 length 380 (1) User-Name = "gpler" (1) Chargeable-User-Identity = 0x03 (1) Location-Capable = Civix-Location (1) Calling-Station-Id = "6c-71-d9-a9-5e-65" (1) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x" (1) NAS-Port = 1 (1) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759" (1) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057" (1) NAS-IP-Address = 172.30.xxx.x (1) NAS-Identifier = "IPB-WLC-5520" (1) Airespace-Wlan-Id = 69 (1) Service-Type = Framed-User (1) Framed-MTU = 1300 (1) NAS-Port-Type = Wireless-802.11 (1) Tunnel-Type:0 = VLAN (1) Tunnel-Medium-Type:0 = IEEE-802 (1) Tunnel-Private-Group-Id:0 = "255" (1) EAP-Message = 0x0203006919800000005f160301005a01000056030159978e892bc0cea1314b3076e48c1432d22b3a1f575d2bd9ef5eadcd1efab780000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 (1) State = 0x68d16d7c68d27498a8bfbed341c368c9 (1) Message-Authenticator = 0x9e55b07936045ad7e26084813251454b (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "gpler", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 3 length 105 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x68d16d7c68d27498 (1) eap: Finished EAP session with state 0x68d16d7c68d27498 (1) eap: Previous EAP request found for state 0x68d16d7c68d27498, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Continuing EAP-TLS (1) eap_peap: Peer indicated complete TLS record size will be 95 bytes (1) eap_peap: Got complete TLS record (95 bytes) (1) eap_peap: [eaptls verify] = length included (1) eap_peap: (other): before/accept initialization (1) eap_peap: TLS_accept: before/accept initialization (1) eap_peap: <<< recv TLS 1.0 Handshake [length 005a], ClientHello (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.0 Handshake [length 0031], ServerHello (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.0 Handshake [length 02c0], Certificate (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: Need to read more data: unknown state (1) eap_peap: TLS_accept: Need to read more data: unknown state (1) eap_peap: In SSL Handshake Phase (1) eap_peap: In SSL Accept mode (1) eap_peap: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 4 length 778 (1) eap: EAP session adding &reply:State = 0x68d16d7c69d57498 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Sent Access-Challenge Id 61 from 172.29.164.218:1812 to 172.30.xxx.x:49431 length 0 (1) EAP-Message = 0x0104030a190016030100310200002d03016e22346727c2b7bfd58d3b5bd06acbc17fa96d02f7937abfe946a411c305079800002f000005ff0100010016030102c00b0002bc0002b90002b6308202b23082019aa003020102020900e889295aaea3149d300d06092a864886f70d01010b05003011310f30 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x68d16d7c69d57498a8bfbed341c368c9 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 62 from 172.30.xxx.x:49431 to 172.29.164.218:1812 length 292 (2) User-Name = "gpler" (2) Chargeable-User-Identity = 0x03 (2) Location-Capable = Civix-Location (2) Calling-Station-Id = "6c-71-d9-a9-5e-65" (2) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x" (2) NAS-Port = 1 (2) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759" (2) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057" (2) NAS-IP-Address = 172.30.xxx.x (2) NAS-Identifier = "IPB-WLC-5520" (2) Airespace-Wlan-Id = 69 (2) Service-Type = Framed-User (2) Framed-MTU = 1300 (2) NAS-Port-Type = Wireless-802.11 (2) Tunnel-Type:0 = VLAN (2) Tunnel-Medium-Type:0 = IEEE-802 (2) Tunnel-Private-Group-Id:0 = "255" (2) EAP-Message = 0x0204001119800000000715030100020230 (2) State = 0x68d16d7c69d57498a8bfbed341c368c9 (2) Message-Authenticator = 0xfd97ab9dc41ef3ae771c43ad2daa9331 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "gpler", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 4 length 17 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x68d16d7c69d57498 (2) eap: Finished EAP session with state 0x68d16d7c69d57498 (2) eap: Previous EAP request found for state 0x68d16d7c69d57498, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 7 bytes (2) eap_peap: Got complete TLS record (7 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca *(2) eap_peap: ERROR: TLS Alert read:fatal:unknown CA* *(2) eap_peap: ERROR: TLS_accept: Failed in unknown state* *(2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)* *(2) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca* *(2) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure* *(2) eap_peap: ERROR: System call (I/O) error (-1)* *(2) eap_peap: ERROR: TLS receive handshake failed during operation* *(2) eap_peap: ERROR: [eaptls process] = fail* *(2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed* (2) eap: Sending EAP Failure (code 4) ID 4 length 4 (2) eap: Failed in EAP select (2) [eap] = invalid (2) } # authenticate = invalid (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Post-Auth-Type REJECT { (2) attr_filter.access_reject: EXPAND %{User-Name} (2) attr_filter.access_reject: --> gpler (2) attr_filter.access_reject: Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) [eap] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # Post-Auth-Type REJECT = updated (2) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (2) Sending delayed response (2) Sent Access-Reject Id 62 from 172.29.164.218:1812 to 172.30.xxx.x:49431 length 44 (2) EAP-Message = 0x04040004 (2) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 60 with timestamp +628 (1) Cleaning up request packet ID 61 with timestamp +628 (2) Cleaning up request packet ID 62 with timestamp +628