XP won't authenticate with EAP TLS - log shows unknown_ca fatal error

Landon Cox freeradius at 360vl.com
Sun Aug 7 17:11:45 CEST 2005

On Aug 7, 2005, at 7:47 AM, A.L.M.Buxey at lboro.ac.uk wrote:
>> I chose to start with this article as it was one of the most recent
>> tutorials I could find on the topic of FreeRADIUS and EAP TLS.
> strange. the EAP-TLS HOWTO seems uite straight forward. everything
> else is a rewrite of this guide.

For me, I appreciated the tutorial approach of Bauer's article vs  
something more scripted because it helped me understand what was  
going on.  I hadn't ever set up CAs and certificates before so  
Bauer's article was better for me, especially Part 1 which laid out  
the WPA landscape.  The EAP-TLS HOWTO was fine, I just didn't get the  
lay of the land as a background that I needed to understand where I  
was headed and why.

> interesting. we've used pass phrases...stops people just copying the
> certificate onto any unknown machine.

Indeed it works either way as I found out, so again, not sure what he  
was referring to in the article.

>> client p12 file both ways and reimporting to XP's Personal
>> Certificates to no avail. Is that pkcs12 passphrase assertion still
>> true for XP supplicant?  Either way, with or without, I can't get
>> this to work, so that must not be the issue.
> did you use the extra XP SSL additions as per the EAP-TLS HOWTO?

Yes I had the ASN1 xpextensions all along; that was not the problem  
as it turned out.

> though this seems to suggest that your FreeRADIUS doesnt know
> much about this certificate. I'd check the eap.conf file

The eap.conf was correct also.

I think the problem was that the certs I generated for CA and server  
weren't in the ssl/certs directory though they were in the raddb/ 
certs directory.  Other than that, I don't think I did anything  
different between attempts at CA and cert creation when I finally got  
it working.  Definitely didn't change my radiusd.conf, clients.conf  
or eap.conf files between attempts, so it was definitely cert related.

I need to experiment a little more to see where I went wrong the  
first couple attempts, but all the conf files were correct as I  
didn't change them between attempts.



More information about the Freeradius-Users mailing list