TLS Alert read:fatal:unknown CA
Fatih Naufal
fatih.avila at gmail.com
Sat Aug 19 03:25:31 CEST 2017
Hi everyone,
I already success create 802.1x wireless authentication using freeradius
and ldap, i did a test to every device that i have (iphone and laptop
running windows 10 can connect to 802.1x wireless) but when i try to
conenct on laptop running windows 7 there's "TLS Alert read:fatal:unknown
CA" error. I already re-create the root CA (i did this following
documentation
http://deployingradius.com/documents/configuration/certificates.html),
import it to the client, and ensure every detail of the certificate. Is
there any bug with windows 7 or something? any kind of help would be
appreciated. Thankyou (ca.cnf and server.cnf attached)
Radius log :
(0) Received Access-Request Id 60 from 172.30.254.3:49431 to
172.29.164.218:1812 length 267
(0) User-Name = "gpler"
(0) Chargeable-User-Identity = 0x03
(0) Location-Capable = Civix-Location
(0) Calling-Station-Id = "6c-71-d9-a9-5e-65"
(0) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x"
(0) NAS-Port = 1
(0) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759"
(0) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057"
(0) NAS-IP-Address = 172.30.xxx.x
(0) NAS-Identifier = "IPB-WLC-5520"
(0) Airespace-Wlan-Id = 69
(0) Service-Type = Framed-User
(0) Framed-MTU = 1300
(0) NAS-Port-Type = Wireless-802.11
(0) Tunnel-Type:0 = VLAN
(0) Tunnel-Medium-Type:0 = IEEE-802
(0) Tunnel-Private-Group-Id:0 = "255"
(0) EAP-Message = 0x0202000a0167706c6572
(0) Message-Authenticator = 0x107b01b20e515d3a076209dea9af2966
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "gpler", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 2 length 10
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 3 length 6
(0) eap: EAP session adding &reply:State = 0x68d16d7c68d27498
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Sent Access-Challenge Id 60 from 172.29.164.218:1812 to
172.30.xxx.x:49431 length 0
(0) EAP-Message = 0x010300061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x68d16d7c68d27498a8bfbed341c368c9
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 61 from 172.30.254.3:49431 to
172.29.164.218:1812 length 380
(1) User-Name = "gpler"
(1) Chargeable-User-Identity = 0x03
(1) Location-Capable = Civix-Location
(1) Calling-Station-Id = "6c-71-d9-a9-5e-65"
(1) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x"
(1) NAS-Port = 1
(1) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759"
(1) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057"
(1) NAS-IP-Address = 172.30.xxx.x
(1) NAS-Identifier = "IPB-WLC-5520"
(1) Airespace-Wlan-Id = 69
(1) Service-Type = Framed-User
(1) Framed-MTU = 1300
(1) NAS-Port-Type = Wireless-802.11
(1) Tunnel-Type:0 = VLAN
(1) Tunnel-Medium-Type:0 = IEEE-802
(1) Tunnel-Private-Group-Id:0 = "255"
(1) EAP-Message =
0x0203006919800000005f160301005a01000056030159978e892bc0cea1314b3076e48c1432d22b3a1f575d2bd9ef5eadcd1efab780000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100
(1) State = 0x68d16d7c68d27498a8bfbed341c368c9
(1) Message-Authenticator = 0x9e55b07936045ad7e26084813251454b
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "gpler", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 3 length 105
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x68d16d7c68d27498
(1) eap: Finished EAP session with state 0x68d16d7c68d27498
(1) eap: Previous EAP request found for state 0x68d16d7c68d27498, released
from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 95 bytes
(1) eap_peap: Got complete TLS record (95 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before/accept initialization
(1) eap_peap: TLS_accept: before/accept initialization
(1) eap_peap: <<< recv TLS 1.0 Handshake [length 005a], ClientHello
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: >>> send TLS 1.0 Handshake [length 0031], ServerHello
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: >>> send TLS 1.0 Handshake [length 02c0], Certificate
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: TLS_accept: Need to read more data: unknown state
(1) eap_peap: TLS_accept: Need to read more data: unknown state
(1) eap_peap: In SSL Handshake Phase
(1) eap_peap: In SSL Accept mode
(1) eap_peap: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 4 length 778
(1) eap: EAP session adding &reply:State = 0x68d16d7c69d57498
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Sent Access-Challenge Id 61 from 172.29.164.218:1812 to
172.30.xxx.x:49431 length 0
(1) EAP-Message =
0x0104030a190016030100310200002d03016e22346727c2b7bfd58d3b5bd06acbc17fa96d02f7937abfe946a411c305079800002f000005ff0100010016030102c00b0002bc0002b90002b6308202b23082019aa003020102020900e889295aaea3149d300d06092a864886f70d01010b05003011310f30
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x68d16d7c69d57498a8bfbed341c368c9
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 62 from 172.30.xxx.x:49431 to
172.29.164.218:1812 length 292
(2) User-Name = "gpler"
(2) Chargeable-User-Identity = 0x03
(2) Location-Capable = Civix-Location
(2) Calling-Station-Id = "6c-71-d9-a9-5e-65"
(2) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x"
(2) NAS-Port = 1
(2) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759"
(2) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057"
(2) NAS-IP-Address = 172.30.xxx.x
(2) NAS-Identifier = "IPB-WLC-5520"
(2) Airespace-Wlan-Id = 69
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) Tunnel-Type:0 = VLAN
(2) Tunnel-Medium-Type:0 = IEEE-802
(2) Tunnel-Private-Group-Id:0 = "255"
(2) EAP-Message = 0x0204001119800000000715030100020230
(2) State = 0x68d16d7c69d57498a8bfbed341c368c9
(2) Message-Authenticator = 0xfd97ab9dc41ef3ae771c43ad2daa9331
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "gpler", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 4 length 17
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x68d16d7c69d57498
(2) eap: Finished EAP session with state 0x68d16d7c69d57498
(2) eap: Previous EAP request found for state 0x68d16d7c69d57498, released
from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 7 bytes
(2) eap_peap: Got complete TLS record (7 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca
*(2) eap_peap: ERROR: TLS Alert read:fatal:unknown CA*
*(2) eap_peap: ERROR: TLS_accept: Failed in unknown state*
*(2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)*
*(2) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1
alert unknown ca*
*(2) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl
handshake failure*
*(2) eap_peap: ERROR: System call (I/O) error (-1)*
*(2) eap_peap: ERROR: TLS receive handshake failed during operation*
*(2) eap_peap: ERROR: [eaptls process] = fail*
*(2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module
failed*
(2) eap: Sending EAP Failure (code 4) ID 4 length 4
(2) eap: Failed in EAP select
(2) [eap] = invalid
(2) } # authenticate = invalid
(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Post-Auth-Type REJECT {
(2) attr_filter.access_reject: EXPAND %{User-Name}
(2) attr_filter.access_reject: --> gpler
(2) attr_filter.access_reject: Matched entry DEFAULT at line 11
(2) [attr_filter.access_reject] = updated
(2) [eap] = noop
(2) policy remove_reply_message_if_eap {
(2) if (&reply:EAP-Message && &reply:Reply-Message) {
(2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(2) else {
(2) [noop] = noop
(2) } # else = noop
(2) } # policy remove_reply_message_if_eap = noop
(2) } # Post-Auth-Type REJECT = updated
(2) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(2) Sending delayed response
(2) Sent Access-Reject Id 62 from 172.29.164.218:1812 to 172.30.xxx.x:49431
length 44
(2) EAP-Message = 0x04040004
(2) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 60 with timestamp +628
(1) Cleaning up request packet ID 61 with timestamp +628
(2) Cleaning up request packet ID 62 with timestamp +628
-------------- next part --------------
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./
certs = $dir
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir
certificate = $dir/ca.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/ca.key
RANDFILE = $dir/.rand
name_opt = ca_default
cert_opt = ca_default
default_days = 60
default_crl_days = 30
default_md = sha256
preserve = no
policy = policy_match
crlDistributionPoints = URI:http://www.example.org/example_ca.crl
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
prompt = no
distinguished_name = certificate_authority
default_bits = 2048
input_password = xxx
output_password = xxx
x509_extensions = v3_ca
[certificate_authority]
countryName = ID
stateOrProvinceName = JawaBarat
localityName = Indonesia
organizationName = DIDSI
emailAddress = tekecang at gmail.com
commonName = "802.1x"
[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true
crlDistributionPoints = URI:http://www.example.org/example_ca.crl
-------------- next part --------------
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./
certs = $dir
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir
certificate = $dir/server.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/server.key
RANDFILE = $dir/.rand
name_opt = ca_default
cert_opt = ca_default
default_days = 60
default_crl_days = 30
default_md = sha256
preserve = no
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
prompt = no
distinguished_name = server
default_bits = 2048
input_password = xxx
output_password = xxx
[server]
countryName = ID
stateOrProvinceName = JawaBarat
localityName = Indonesia
organizationName = DIDSI
emailAddress = tekecang at gmail.com
commonName = "802.1x"
More information about the Freeradius-Users
mailing list