Troubleshooting EAP-TLS with External Certificates
Matthew West
matthew.t.west at gmail.com
Fri Aug 5 18:30:05 CEST 2016
Hi Alan,
Thank you for your response. I appreciate all the work you put into
this project and your reply.
> That's the root cause of the problem. You have a CA on the server, but haven't put the CA cert on the supplicant. > You MUST do that in order to get EAP-TLS to work.
> See http://deployingradius.com/ for detailed instructions.
I've used your site, solely, as a resource to set up FreeRADIUS. I've
also used the wiki, but your site seems to work best. Thank you for
helping me interpret the output. I'll post back with my results.
Much appreciated,
Matthew
On Fri, Aug 5, 2016 at 5:33 AM, Alan DeKok <aland at deployingradius.com> wrote:
> On Aug 4, 2016, at 11:12 PM, Matthew West <matthew.t.west at gmail.com> wrote:
>>
>> Follow up to last e-mail. Needed to use a different cert chain and
>> have uploaded that to the server. Tried to authorize again and got a
>> similar error, below. It appears the output means that the handshake
>> failed due to a self-signed certificate in the chain.
>
> No. Please read *all* of the messages.
>
>> Thank you,
>>
>> Matthew
>>
>> [tls] Done initial handshake
>> [tls] <<< TLS 1.0 Handshake [length 11fa], Certificate
>> --> verify error:num=19:self signed certificate in certificate chain
>> [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
>> TLS Alert write:fatal:unknown CA
>
> That's the root cause of the problem. You have a CA on the server, but haven't put the CA cert on the supplicant. You MUST do that in order to get EAP-TLS to work.
>
> See http://deployingradius.com/ for detailed instructions.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list