Troubleshooting EAP-TLS with External Certificates

Alan DeKok aland at
Fri Aug 5 14:33:54 CEST 2016

On Aug 4, 2016, at 11:12 PM, Matthew West <matthew.t.west at> wrote:
> Follow up to last e-mail.  Needed to use a different cert chain and
> have uploaded that to the server.  Tried to authorize again and got a
> similar error, below.  It appears the output means that the handshake
> failed due to a self-signed certificate in the chain. 

  No.  Please read *all* of the messages.

> Thank you,
> Matthew
> [tls] Done initial handshake
> [tls] <<< TLS 1.0 Handshake [length 11fa], Certificate
> --> verify error:num=19:self signed certificate in certificate chain
> [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
> TLS Alert write:fatal:unknown CA

  That's the root cause of the problem.  You have a CA on the server, but haven't put the CA cert on the supplicant.  You MUST do that in order to get EAP-TLS to work.

  See for detailed instructions.

  Alan DeKok.

More information about the Freeradius-Users mailing list