Cisco IP Phone 802.1x EAP-TLS troubles

Ryan directionless at
Mon Oct 10 18:30:07 CEST 2016

I'm running freeRADIUS v3.0.8.  My first goal is just to get all our
Cisco phones authorized.  I want freeRADIUS to accept all phones based
on the certificate presented by the supplicant.  The phones should
present Cisco's manufacturer-installed-certificate, and Cisco provides
the CA certs for download, which I have done.  I put the Cisco CA
certs into /etc/freeradius/certs, changed eap config to use ca_path
instead of ca_file, but I still get this:


(4) eap: Peer s0ent method TLS (13)
(4) eap: EAP TLS (13)
(4) eap: Calling eap_tls to process EAP data
(4) eap_tls: Authenticate
(4) eap_tls: processing EAP-TLS
(4) eap_tls: TLS Length 1235
(4) eap_tls: Length Included
(4) eap_tls: eaptls_verify returned 11
(4) eap_tls: <<< Unknown TLS version [length 0005]
(4) eap_tls: <<< TLS 1.2  [length 0343]
(4) eap_tls: TLS Verify creating certificate attributes
(4) eap_tls:   TLS-Client-Cert-Serial := '06'
(4) eap_tls:   TLS-Client-Cert-Expiration := '211008171647Z'
(4) eap_tls:   TLS-Client-Cert-Subject := '/serialNumber=PID:CP-8841
SN:FCH20098MSK/C=US/O=Texana Center/OU=Building
(4) eap_tls:   TLS-Client-Cert-Issuer := '/C=US/O=Texana
Center/OU=Building E/CN=CAPF-38b5f828/ST=Texas/L=4910 Airport Ave.'
(4) eap_tls:   TLS-Client-Cert-Common-Name := 'CP-8841-SEP00CCFC4A9AD3'
(4) eap_tls:   ERROR: SSL says error 20 : unable to get local issuer certificate
(4) eap_tls: >>> Unknown TLS version [length 0005]
(4) eap_tls: >>> TLS 1.2  [length 0002]
(4) eap_tls: ERROR: TLS Alert write:fatal:unknown CA
tls: TLS_accept: Error in error
(4) eap_tls: ERROR: SSL says: error:14089086:SSL
routines:ssl3_get_client_certificate:certificate verify failed
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
(4) eap_tls: eaptls_process returned 4
(4) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed
(4) eap: Failed in EAP select
(4)     [eap] = invalid
(4)   } # authenticate = invalid
(4) Failed to authenticate the user
(4) Using Post-Auth-Type Reject


I'm a total noob at PKI and I can't figure out what I'm doing wrong.
Is this even possible to do?

More information about the Freeradius-Users mailing list