EAP-TLS and client certs issued with different CA's

Bruncko Michal Michal.Bruncko at zssos.sk
Sat Sep 13 16:24:10 CEST 2014

hello again

forgot to mention freeradius version - 2.1.12 (on centos 6)

thanks again


2014-09-13 16:17 odosielateľ napísal:
> Hello list,
> I am successfully using Freeradius in our Wifi environment using
> EAP-TLS in single-CA environment - i.e same CA was used to sign both
> server and clients SSL certificates. Now I have started to use new
> certificate PKI with new CA hierarchy - RootCA -> SubCA -> Wifi
> certificates, but I wanted to keep existing legacy CA in place. This
> means:
> - that I wanted to use client certificates issued by two different
> CA's for EAP-TLS authentication
> - and as I mentioned before, the new CA is a subCA of new rootCA.
> - and server certificate is signed still using legacy CA
> I looked over older posts and it looks that this scenario is supported
> by freeradius and can be achieved in two ways:
> - using CA_file (within tls section in eap.conf) pointing to file
> bundling all CA related certificates (i.e. legacy CA, new SubCA and
> RootCA), or
> - using CA_path pointing to directory with separate CA *.pem files
> (and running "c_rehash" over that directory). both subCA and rootCA in
> single pem file (but I tried to separate it as well)
> The problem is, that everytime I wanted to authenticate with client
> using certificate signed by subCA, I always get:
> [campuswifi] Request found, released from the list
> [campuswifi] EAP/tls
> [campuswifi] processing type tls
> [tls] Authenticate
> [tls] processing EAP-TLS
> [tls] eaptls_verify returned 7
> [tls] Done initial handshake
> [tls] <<< TLS 1.0 Handshake [length 03d6], Certificate
> --> verify error:num=20:unable to get local issuer certificate
> [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
> TLS Alert write:fatal:unknown CA
>     TLS_accept: error in SSLv3 read client certificate B
> rlm_eap: SSL error error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> SSL: SSL_read failed in a system call (-1), TLS session fails.
> TLS receive handshake failed during operation
> [tls] eaptls_process returned 4
> [campuswifi] Handler failed in EAP/tls
> [campuswifi] Failed in EAP select
> Questions:
> - what I am doing wrong? Miss I anything in order to get working
> EAP-TLS authentication over both legacy CA and new CA?
> recall: please note that new CA is not self signed, but signed by
> another rootCA authority (created also by me).
> thanks for any help

More information about the Freeradius-Users mailing list