windows users having trouble authenticating

Alan DeKok aland at deployingradius.com
Tue Aug 3 08:46:36 CEST 2010


Sallee, Stephen (Jake) wrote:
> I am still getting this error in my debug output:
> 
> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
> alert unknown ca
> 
> I have upgraded to version 2.1.8+dfsg-1ubuntu1, still no joy!

  No amount of upgrading FreeRADIUS will make it work.

  This message comes because (a) the supplicant has a client certificate
issued by a CA unknown to FreeRADIUS, or (b) the supplicant is telling
FreeRADIUS that the servers CA is unknown to the client.

> PLEASE someone tell me how to make FreeRADIUS automatically accept the
> client cert.

  PEAP doesn't work like that.  If you issued client certs, then
FreeRADIUS *MUST* be configured to know about the CA.

>  I have about 2 thousand clients that are not owned by my
> university, I cannot install the server cert on all of them, the
> logistics are too much.  PLEASE HELP!

  We're trying.  We're asking you to listen to our responses.

  PEAP (or any TLS based EAP method) *cannot* do what you ask.  It's
impossible, and it was designed to be impossible by the people who
created the cryptography algorithms.

  If you want to have it work, then (a) configure FreeRADIUS to know
about the CA that issued the client cert, or (b) put the FreeRADIUS
cert/CA on a web site, for the clients to download themselves.

  I understand what you want, but please understand that there are
limitations to the protocols *independent* of FreeRADIUS.

  Alan DeKok.



More information about the Freeradius-Users mailing list