Unknown CA errors

Wed Feb 23 19:11:56 CET 2011

Hi All,

I see a similar thing mentioned in the mailing list but I'm unsure why this
is happening.

In my eap.conf I see the following:
#  This parameter is used only for EAP-TLS,
                        #  when you issue client certificates.  If you do
                        #  not use client certificates, and you do not want
                        #  to permit EAP-TLS authentication, then delete
                        #  this configuration item.
                        #CA_file = ${cadir}/ca.pem

And I'm getting these errors logged from time to time.
Feb 23 13:05:07 avocet radiusd[15992]: TLS Alert read:fatal:unknown CA Feb
23 13:05:07 avocet radiusd[15992]: rlm_eap: SSL error error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

If we're not using EAP-TLS but rather PEAP, EAP-TTLS-MSCHAPv2 do we really
need to uncomment the CA_file variable? The docs seem to indicate no, but
the mailing lists indicate yes.

Can someone provide clarification?

Cheers,
Harry