XP won't authenticate with EAP TLS - log shows unknown_ca fatal error
Michael Wang
mwang25 at gmail.com
Sat Aug 6 00:30:29 CEST 2005
Hi Landon,
I think this piece from the log is suspicious:
> rlm_eap_tls: Length Included
> eaptls_verify returned 11
> rlm_eap_tls: <<< TLS 1.0 Handshake [length 02ab], Certificate
> --> verify error:num=18:self signed certificate
> chain-depth=0,
> error=18
> --> User-Name = 360VL
> --> BUF-Name = 360VL
> --> subject = /C=US/ST=Colorado/L=Colorado Springs/O=360VL
> Incorporated/CN=360VL/emailAddress=emailwithheld
> --> issuer = /C=US/ST=Colorado/L=Colorado Springs/O=360VL
> Incorporated/CN=360VL/emailAddress=emailwithheld
> --> verify return:0
> rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
> TLS Alert write:fatal:unknown CA
> TLS_accept:error in SSLv3 read client certificate B
> rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
I think the problem is the user certificate that you imported into XP
is "self-signed". What you need to do is use openssl to create a
certificate request (using openssl req ...) and then sign that request
using the CA (using openssl ca). Then package up the user key and
signed user cert into the pkcs#12 envelope (using openssl pkcs12).
Finally import into XP. I looked at the instructions for certificate
generation in the linux format article and they look OK. Make sure
you did not miss a step or use the wrong command somewhere.
As to using a password for the pkcs#12 envelope, go ahead and use it.
When you import the pkcs#12 file into XP, it will just ask for it, and
you enter it, and that should be it.
Hope that helps.
Michael
More information about the Freeradius-Users
mailing list