Cisco IP Phone 802.1x EAP-TLS troubles

Alan DeKok aland at
Mon Oct 10 18:33:56 CEST 2016

On Oct 10, 2016, at 12:30 PM, Ryan <directionless at> wrote:
> I'm running freeRADIUS v3.0.8.  My first goal is just to get all our
> Cisco phones authorized.  I want freeRADIUS to accept all phones based
> on the certificate presented by the supplicant.  The phones should
> present Cisco's manufacturer-installed-certificate, and Cisco provides
> the CA certs for download, which I have done.  I put the Cisco CA
> certs into /etc/freeradius/certs, changed eap config to use ca_path
> instead of ca_file, but I still get this:
> ...
> (4) eap_tls: >>> TLS 1.2  [length 0002]
> (4) eap_tls: ERROR: TLS Alert write:fatal:unknown CA
> tls: TLS_accept: Error in error

  That's the phone saying it doesn't know about the CA.

> I'm a total noob at PKI and I can't figure out what I'm doing wrong.
> Is this even possible to do?

 The server also has to present a certificate to the phone.  And the servers certificate has to be signed by a CA.

  If Cisco isn't going to sign the server cert (and they won't), then you'll need to get your CA onto the phone somehow.

  Alan DeKok.

More information about the Freeradius-Users mailing list