Hi everybody I am running a freshly compiled FreeRADIUS Version 2.2.0, for host i686-pc-linux-gnu, built on Oct 31 2012 at 16:56:00 Copyright (C) 1999-2012 The FreeRADIUS server project and contributors. authenticating against a MySQL database appeast to work fine using radtest luna:/usr/local/etc/raddb # radtest test 1234 localhost 1812 testing123 Sending Access-Request of id 104 to 127.0.0.1 port 1812 User-Name = "test" User-Password = "1234" NAS-IP-Address = 194.124.158.51 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=104, length=20 I connected a ZyXEL NWA 3160-N (latest Firmware), generated a certificate request, signed it using XCA and reimported it on the AP. I also installed a certificate signed by the same CA in the ..../raddb/certs directory and of course the CA cert to be able to verify the client cert. If I try now to connect to the AP using the same credentials as before, I am getting the following in the output of radiusd -X .... Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/luna.think.ch.key" certificate_file = "/usr/local/etc/raddb/certs/luna.think.ch.pem" CA_file = "/usr/local/etc/raddb/certs/Think_CA.pem" private_key_password = "" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } ..... Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 7 to 194.124.158.62 port 59115 EAP-Message = 0x0102001604106133379bfac030f9a2efcf9a2e3e9641 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0c2c33890c2e3790fae8bf762d1a9802 Finished request 0. Waking up in 4.9 seconds. Going to the next request rad_recv: Access-Request packet from host 194.124.158.62 port 59115, id=8, length=162 User-Name = "test" NAS-Port = 0 Called-Station-Id = "50-67-F0-38-A9-E5:ZyXEL" Vendor-Specific = 0x000000000402 Calling-Station-Id = "74-F0-6D-07-9B-91" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x020200060319 State = 0x0c2c33890c2e3790fae8bf762d1a9802 Message-Authenticator = 0x2ad76dbb03af18776e0c10b36df81895 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ...... ...... ...... [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca ..... There appears to be something wrong with the client certificate passed by the AP in the eap conversation. I doublechecked the certificates and googled my fingers raw on this. This is the server cert luna:/usr/local/etc/raddb/certs # openssl x509 -in luna.think.ch.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 29 (0x1d) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CH, L=Stallikon, O=THINK, OU=CA Section, CN=Think CA/emailAddress=ca@think.ch Validity Not Before: Nov 2 00:00:00 2012 GMT Not After : Sep 14 23:59:59 2014 GMT Subject: C=CH, L=Stallikon, O=THINK, OU=Mail Service, CN=luna.think.ch .... and the client cert luna:/usr/local/etc/raddb/certs # openssl x509 -in 194.124.158.62.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 28 (0x1c) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CH, L=Stallikon, O=THINK, OU=CA Section, CN=Think CA/emailAddress=ca@think.ch Validity Not Before: Nov 1 00:00:00 2012 GMT Not After : Oct 31 23:59:59 2013 GMT Subject: C=CH, L=Stallikon, O=THINK, OU=AP, CN=194.124.158.62 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) ..... and the CA cert luna:/usr/local/etc/raddb/certs # openssl x509 -in Think_CA.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=CH, L=Stallikon, O=THINK, OU=CA Section, CN=Think CA/emailAddress=ca@think.ch Validity Not Before: Sep 16 17:00:07 2004 GMT Not After : Sep 14 17:00:07 2014 GMT Subject: C=CH, L=Stallikon, O=THINK, OU=CA Section, CN=Think CA/emailAddress=ca@think.ch Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) ... If you need the full output of radiusd, let me know. Maybe someone can give me a push in the right direction. Thanks Erich Titl