XP won't authenticate with EAP TLS - log shows unknown_ca fatal error

Landon Cox freeradius at 360vl.com
Sat Aug 6 16:38:25 CEST 2005 

Thanks for looking at this, Michael.

I decided to restart the certificate generation process and did it  
again from scratch following the article.  Same results.

I did it a 3rd time and but this time copied the certs to /etc/ssl/ 
certs and insured all CNs were unique (not being completely up on  
what is right or wrong w/r to input values for the cert process or  
what directories the new certs needed to live in, I wanted to make  
sure that wasn't an issue.)  So, one of those actions did the trick  
and I haven't gone back to isolate which one.

After that I was able to login - authenticated in both directions,  
too.  I did go ahead and do the pkcs export password and that worked  
fine.  I'm not sure what Bauer's comment was referring to in the  
article about XP supplicants only working with non-pw protected certs  
in the store.  Oh well, it's up and working and I'm grateful.

Thank you,

Landon

On Aug 5, 2005, at 4:30 PM, Michael Wang wrote:

> Hi Landon,
>
> I think this piece from the log is suspicious:
>
>
>> rlm_eap_tls:  Length Included
>>  eaptls_verify returned 11
>>  rlm_eap_tls: <<< TLS 1.0 Handshake [length 02ab], Certificate
>> --> verify error:num=18:self signed certificate
>> chain-depth=0,
>> error=18
>> --> User-Name = 360VL
>> --> BUF-Name = 360VL
>> --> subject = /C=US/ST=Colorado/L=Colorado Springs/O=360VL
>> Incorporated/CN=360VL/emailAddress=emailwithheld
>> --> issuer  = /C=US/ST=Colorado/L=Colorado Springs/O=360VL
>> Incorporated/CN=360VL/emailAddress=emailwithheld
>> --> verify return:0
>>  rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
>> TLS Alert write:fatal:unknown CA
>>   TLS_accept:error in SSLv3 read client certificate B
>> rlm_eap_tls: SSL_read failed in a system call (-1), TLS session  
>> fails.
>>
>
> I think the problem is the user certificate that you imported into XP
> is "self-signed".  What you need to do is use openssl to create a
> certificate request (using openssl req ...) and then sign that request
> using the CA (using openssl ca).  Then package up the user key and
> signed user cert into the pkcs#12 envelope (using openssl pkcs12).
> Finally import into XP.  I looked at the instructions for certificate
> generation in the linux format article and they look OK.  Make sure
> you did not miss a step or use the wrong command somewhere.
>
> As to using a password for the pkcs#12 envelope, go ahead and use it.
> When you import the pkcs#12 file into XP, it will just ask for it, and
> you enter it, and that should be it.
>
> Hope that helps.
>
> Michael

More information about the Freeradius-Users mailing list