Troubleshooting EAP-TLS with External Certificates
Alan DeKok
aland at deployingradius.com
Fri Aug 5 14:33:54 CEST 2016
On Aug 4, 2016, at 11:12 PM, Matthew West <matthew.t.west at gmail.com> wrote:
>
> Follow up to last e-mail. Needed to use a different cert chain and
> have uploaded that to the server. Tried to authorize again and got a
> similar error, below. It appears the output means that the handshake
> failed due to a self-signed certificate in the chain.
No. Please read *all* of the messages.
> Thank you,
>
> Matthew
>
> [tls] Done initial handshake
> [tls] <<< TLS 1.0 Handshake [length 11fa], Certificate
> --> verify error:num=19:self signed certificate in certificate chain
> [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
> TLS Alert write:fatal:unknown CA
That's the root cause of the problem. You have a CA on the server, but haven't put the CA cert on the supplicant. You MUST do that in order to get EAP-TLS to work.
See http://deployingradius.com/ for detailed instructions.
Alan DeKok.
More information about the Freeradius-Users
mailing list