EAP-TLS / OpenSSL Debug Output

Alan DeKok aland at deployingradius.com
Wed May 27 16:11:33 CEST 2015

On May 26, 2015, at 6:27 PM, Ben Humpert <ben at an3k.de> wrote:
> While Windows (including XP) as well as Apple clients (including iOS)
> are working great Android has issues connecting using EAP-TLS. As soon
> as I select a CA certificate in Android the connection is not
> possible. If I don't select any CA certificate the connection works,

  Because it's not validating the CA cert in that case.

> beside it's actually not EAP-TLS since the server certificate is not
> validated.


> Just for my understanding, in the above debug output which side of the
>>>> and <<< is the RADIUS server and which is the client?
> Does the second line means the server (left) read from the client
> (right)? If so does the last line means the server (left) wrote to the
> client (right)?


> The debug output of the failing Android EAP-TLS attempt is below - in
> case someone is interested.
> Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: <<< TLS 1.0 Alert
> [length 0002], fatal unknown_ca
> Wed May 27 00:10:44 2015 : ERROR: (89) eap_tls: TLS Alert read:fatal:unknown CA
> Wed May 27 00:10:44 2015 : ERROR: (89) eap_tls: TLS_accept: Failed in
> SSLv3 read client certificate A

  The client certificate was signed by a CA unknown to FreeRADIUS.  You need to put the CA in the raddb/certs directory, and configure FreeRADIUS to read it.

  Alan DeKok.

More information about the Freeradius-Users mailing list