TLS Alert read:fatal:unknown CA
Fatih Naufal
fatih.avila at gmail.com
Sun Aug 20 04:21:50 CEST 2017
I store it in the local machine, i will try to store it in the user store
then.
Thanks for the help Alan.
On Sun, Aug 20, 2017 at 5:51 AM, Alan Buxey <alan.buxey at gmail.com> wrote:
> No. Not really I wonder if you've installed it in the user store rather
> than system store or such.
>
> alan
>
> On 19 Aug 2017 7:43 pm, "Fatih Naufal" <fatih.avila at gmail.com> wrote:
>
> > Thanks for the reply Alan and Edelberto,
> >
> > I make the certificate based on default cert (/etc/freeradius/certs) and
> > already install it in the right place (Trusted Root Certification
> > Authorities), didn't know what happened but when i try to uncheck the
> > validate server certificate box i can login with no error. Any
> suggestion?
> > is it still safe to connect without validate server by validating the
> > certificates?
> >
> > On Sat, Aug 19, 2017 at 11:31 PM, Alan Buxey <alan.buxey at gmail.com>
> wrote:
> >
> > > Hi
> > >
> > > How did you install it on the Windows client? Just double clicked and
> > chose
> > > default options? You need to make sure you import it into the correct
> > > certificate store location eg local computer/trusted CA location.
> > >
> > > alan
> > >
> > > On 19 Aug 2017 2:26 am, "Fatih Naufal" <fatih.avila at gmail.com> wrote:
> > >
> > > > Hi everyone,
> > > >
> > > > I already success create 802.1x wireless authentication using
> > freeradius
> > > > and ldap, i did a test to every device that i have (iphone and laptop
> > > > running windows 10 can connect to 802.1x wireless) but when i try to
> > > > conenct on laptop running windows 7 there's "TLS Alert
> > read:fatal:unknown
> > > > CA" error. I already re-create the root CA (i did this following
> > > > documentation
> > > > http://deployingradius.com/documents/configuration/certificates.html
> ),
> > > > import it to the client, and ensure every detail of the certificate.
> Is
> > > > there any bug with windows 7 or something? any kind of help would be
> > > > appreciated. Thankyou (ca.cnf and server.cnf attached)
> > > >
> > > > Radius log :
> > > > (0) Received Access-Request Id 60 from 172.30.254.3:49431 to
> > > > 172.29.164.218:1812 length 267
> > > > (0) User-Name = "gpler"
> > > > (0) Chargeable-User-Identity = 0x03
> > > > (0) Location-Capable = Civix-Location
> > > > (0) Calling-Station-Id = "6c-71-d9-a9-5e-65"
> > > > (0) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x"
> > > > (0) NAS-Port = 1
> > > > (0) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759"
> > > > (0) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057"
> > > > (0) NAS-IP-Address = 172.30.xxx.x
> > > > (0) NAS-Identifier = "IPB-WLC-5520"
> > > > (0) Airespace-Wlan-Id = 69
> > > > (0) Service-Type = Framed-User
> > > > (0) Framed-MTU = 1300
> > > > (0) NAS-Port-Type = Wireless-802.11
> > > > (0) Tunnel-Type:0 = VLAN
> > > > (0) Tunnel-Medium-Type:0 = IEEE-802
> > > > (0) Tunnel-Private-Group-Id:0 = "255"
> > > > (0) EAP-Message = 0x0202000a0167706c6572
> > > > (0) Message-Authenticator = 0x107b01b20e515d3a076209dea9af2966
> > > > (0) # Executing section authorize from file
> > > > /etc/freeradius/3.0/sites-enabled/default
> > > > (0) authorize {
> > > > (0) policy filter_username {
> > > > (0) if (&User-Name) {
> > > > (0) if (&User-Name) -> TRUE
> > > > (0) if (&User-Name) {
> > > > (0) if (&User-Name =~ /@[^@]*@/ ) {
> > > > (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> > > > (0) if (&User-Name =~ /\.\./ ) {
> > > > (0) if (&User-Name =~ /\.\./ ) -> FALSE
> > > > (0) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) {
> > > > (0) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/))
> > > ->
> > > > FALSE
> > > > (0) if (&User-Name =~ /\.$/) {
> > > > (0) if (&User-Name =~ /\.$/) -> FALSE
> > > > (0) if (&User-Name =~ /@\./) {
> > > > (0) if (&User-Name =~ /@\./) -> FALSE
> > > > (0) } # if (&User-Name) = notfound
> > > > (0) } # policy filter_username = notfound
> > > > (0) [preprocess] = ok
> > > > (0) [chap] = noop
> > > > (0) [mschap] = noop
> > > > (0) [digest] = noop
> > > > (0) suffix: Checking for suffix after "@"
> > > > (0) suffix: No '@' in User-Name = "gpler", looking up realm NULL
> > > > (0) suffix: No such realm "NULL"
> > > > (0) [suffix] = noop
> > > > (0) eap: Peer sent EAP Response (code 2) ID 2 length 10
> > > > (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit
> the
> > > > rest of authorize
> > > > (0) [eap] = ok
> > > > (0) } # authorize = ok
> > > > (0) Found Auth-Type = eap
> > > > (0) # Executing group from file /etc/freeradius/3.0/sites-
> > > enabled/default
> > > > (0) authenticate {
> > > > (0) eap: Peer sent packet with method EAP Identity (1)
> > > > (0) eap: Calling submodule eap_peap to process data
> > > > (0) eap_peap: Initiating new EAP-TLS session
> > > > (0) eap_peap: [eaptls start] = request
> > > > (0) eap: Sending EAP Request (code 1) ID 3 length 6
> > > > (0) eap: EAP session adding &reply:State = 0x68d16d7c68d27498
> > > > (0) [eap] = handled
> > > > (0) } # authenticate = handled
> > > > (0) Using Post-Auth-Type Challenge
> > > > (0) Post-Auth-Type sub-section not found. Ignoring.
> > > > (0) # Executing group from file /etc/freeradius/3.0/sites-
> > > enabled/default
> > > > (0) Sent Access-Challenge Id 60 from 172.29.164.218:1812 to
> > > > 172.30.xxx.x:49431 length 0
> > > > (0) EAP-Message = 0x010300061920
> > > > (0) Message-Authenticator = 0x00000000000000000000000000000000
> > > > (0) State = 0x68d16d7c68d27498a8bfbed341c368c9
> > > > (0) Finished request
> > > > Waking up in 4.9 seconds.
> > > > (1) Received Access-Request Id 61 from 172.30.254.3:49431 to
> > > > 172.29.164.218:1812 length 380
> > > > (1) User-Name = "gpler"
> > > > (1) Chargeable-User-Identity = 0x03
> > > > (1) Location-Capable = Civix-Location
> > > > (1) Calling-Station-Id = "6c-71-d9-a9-5e-65"
> > > > (1) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x"
> > > > (1) NAS-Port = 1
> > > > (1) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759"
> > > > (1) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057"
> > > > (1) NAS-IP-Address = 172.30.xxx.x
> > > > (1) NAS-Identifier = "IPB-WLC-5520"
> > > > (1) Airespace-Wlan-Id = 69
> > > > (1) Service-Type = Framed-User
> > > > (1) Framed-MTU = 1300
> > > > (1) NAS-Port-Type = Wireless-802.11
> > > > (1) Tunnel-Type:0 = VLAN
> > > > (1) Tunnel-Medium-Type:0 = IEEE-802
> > > > (1) Tunnel-Private-Group-Id:0 = "255"
> > > > (1) EAP-Message =
> > > > 0x0203006919800000005f160301005a01000056030159978e892bc0cea1
> > > > 314b3076e48c1432d22b3a1f575d2bd9ef5eadcd1efab780000018002f00
> > > > 350005000ac013c014c009c00a003200380013000401000015ff01000100
> > > > 000a0006000400170018000b00020100
> > > > (1) State = 0x68d16d7c68d27498a8bfbed341c368c9
> > > > (1) Message-Authenticator = 0x9e55b07936045ad7e26084813251454b
> > > > (1) session-state: No cached attributes
> > > > (1) # Executing section authorize from file
> > > > /etc/freeradius/3.0/sites-enabled/default
> > > > (1) authorize {
> > > > (1) policy filter_username {
> > > > (1) if (&User-Name) {
> > > > (1) if (&User-Name) -> TRUE
> > > > (1) if (&User-Name) {
> > > > (1) if (&User-Name =~ /@[^@]*@/ ) {
> > > > (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> > > > (1) if (&User-Name =~ /\.\./ ) {
> > > > (1) if (&User-Name =~ /\.\./ ) -> FALSE
> > > > (1) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) {
> > > > (1) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/))
> > > ->
> > > > FALSE
> > > > (1) if (&User-Name =~ /\.$/) {
> > > > (1) if (&User-Name =~ /\.$/) -> FALSE
> > > > (1) if (&User-Name =~ /@\./) {
> > > > (1) if (&User-Name =~ /@\./) -> FALSE
> > > > (1) } # if (&User-Name) = notfound
> > > > (1) } # policy filter_username = notfound
> > > > (1) [preprocess] = ok
> > > > (1) [chap] = noop
> > > > (1) [mschap] = noop
> > > > (1) [digest] = noop
> > > > (1) suffix: Checking for suffix after "@"
> > > > (1) suffix: No '@' in User-Name = "gpler", looking up realm NULL
> > > > (1) suffix: No such realm "NULL"
> > > > (1) [suffix] = noop
> > > > (1) eap: Peer sent EAP Response (code 2) ID 3 length 105
> > > > (1) eap: Continuing tunnel setup
> > > > (1) [eap] = ok
> > > > (1) } # authorize = ok
> > > > (1) Found Auth-Type = eap
> > > > (1) # Executing group from file /etc/freeradius/3.0/sites-
> > > enabled/default
> > > > (1) authenticate {
> > > > (1) eap: Expiring EAP session with state 0x68d16d7c68d27498
> > > > (1) eap: Finished EAP session with state 0x68d16d7c68d27498
> > > > (1) eap: Previous EAP request found for state 0x68d16d7c68d27498,
> > > released
> > > > from the list
> > > > (1) eap: Peer sent packet with method EAP PEAP (25)
> > > > (1) eap: Calling submodule eap_peap to process data
> > > > (1) eap_peap: Continuing EAP-TLS
> > > > (1) eap_peap: Peer indicated complete TLS record size will be 95
> bytes
> > > > (1) eap_peap: Got complete TLS record (95 bytes)
> > > > (1) eap_peap: [eaptls verify] = length included
> > > > (1) eap_peap: (other): before/accept initialization
> > > > (1) eap_peap: TLS_accept: before/accept initialization
> > > > (1) eap_peap: <<< recv TLS 1.0 Handshake [length 005a], ClientHello
> > > > (1) eap_peap: TLS_accept: unknown state
> > > > (1) eap_peap: >>> send TLS 1.0 Handshake [length 0031], ServerHello
> > > > (1) eap_peap: TLS_accept: unknown state
> > > > (1) eap_peap: >>> send TLS 1.0 Handshake [length 02c0], Certificate
> > > > (1) eap_peap: TLS_accept: unknown state
> > > > (1) eap_peap: >>> send TLS 1.0 Handshake [length 0004],
> ServerHelloDone
> > > > (1) eap_peap: TLS_accept: unknown state
> > > > (1) eap_peap: TLS_accept: unknown state
> > > > (1) eap_peap: TLS_accept: unknown state
> > > > (1) eap_peap: TLS_accept: Need to read more data: unknown state
> > > > (1) eap_peap: TLS_accept: Need to read more data: unknown state
> > > > (1) eap_peap: In SSL Handshake Phase
> > > > (1) eap_peap: In SSL Accept mode
> > > > (1) eap_peap: [eaptls process] = handled
> > > > (1) eap: Sending EAP Request (code 1) ID 4 length 778
> > > > (1) eap: EAP session adding &reply:State = 0x68d16d7c69d57498
> > > > (1) [eap] = handled
> > > > (1) } # authenticate = handled
> > > > (1) Using Post-Auth-Type Challenge
> > > > (1) Post-Auth-Type sub-section not found. Ignoring.
> > > > (1) # Executing group from file /etc/freeradius/3.0/sites-
> > > enabled/default
> > > > (1) Sent Access-Challenge Id 61 from 172.29.164.218:1812 to
> > > > 172.30.xxx.x:49431 length 0
> > > > (1) EAP-Message =
> > > > 0x0104030a190016030100310200002d03016e22346727c2b7bfd58d3b5b
> > > > d06acbc17fa96d02f7937abfe946a411c305079800002f000005ff010001
> > > > 0016030102c00b0002bc0002b90002b6308202b23082019aa00302010202
> > > > 0900e889295aaea3149d300d06092a864886f70d01010b05003011310f30
> > > > (1) Message-Authenticator = 0x00000000000000000000000000000000
> > > > (1) State = 0x68d16d7c69d57498a8bfbed341c368c9
> > > > (1) Finished request
> > > > Waking up in 4.9 seconds.
> > > > (2) Received Access-Request Id 62 from 172.30.xxx.x:49431 to
> > > > 172.29.164.218:1812 length 292
> > > > (2) User-Name = "gpler"
> > > > (2) Chargeable-User-Identity = 0x03
> > > > (2) Location-Capable = Civix-Location
> > > > (2) Calling-Station-Id = "6c-71-d9-a9-5e-65"
> > > > (2) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x"
> > > > (2) NAS-Port = 1
> > > > (2) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759"
> > > > (2) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057"
> > > > (2) NAS-IP-Address = 172.30.xxx.x
> > > > (2) NAS-Identifier = "IPB-WLC-5520"
> > > > (2) Airespace-Wlan-Id = 69
> > > > (2) Service-Type = Framed-User
> > > > (2) Framed-MTU = 1300
> > > > (2) NAS-Port-Type = Wireless-802.11
> > > > (2) Tunnel-Type:0 = VLAN
> > > > (2) Tunnel-Medium-Type:0 = IEEE-802
> > > > (2) Tunnel-Private-Group-Id:0 = "255"
> > > > (2) EAP-Message = 0x0204001119800000000715030100020230
> > > > (2) State = 0x68d16d7c69d57498a8bfbed341c368c9
> > > > (2) Message-Authenticator = 0xfd97ab9dc41ef3ae771c43ad2daa9331
> > > > (2) session-state: No cached attributes
> > > > (2) # Executing section authorize from file
> > > > /etc/freeradius/3.0/sites-enabled/default
> > > > (2) authorize {
> > > > (2) policy filter_username {
> > > > (2) if (&User-Name) {
> > > > (2) if (&User-Name) -> TRUE
> > > > (2) if (&User-Name) {
> > > > (2) if (&User-Name =~ /@[^@]*@/ ) {
> > > > (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> > > > (2) if (&User-Name =~ /\.\./ ) {
> > > > (2) if (&User-Name =~ /\.\./ ) -> FALSE
> > > > (2) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) {
> > > > (2) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/))
> > > ->
> > > > FALSE
> > > > (2) if (&User-Name =~ /\.$/) {
> > > > (2) if (&User-Name =~ /\.$/) -> FALSE
> > > > (2) if (&User-Name =~ /@\./) {
> > > > (2) if (&User-Name =~ /@\./) -> FALSE
> > > > (2) } # if (&User-Name) = notfound
> > > > (2) } # policy filter_username = notfound
> > > > (2) [preprocess] = ok
> > > > (2) [chap] = noop
> > > > (2) [mschap] = noop
> > > > (2) [digest] = noop
> > > > (2) suffix: Checking for suffix after "@"
> > > > (2) suffix: No '@' in User-Name = "gpler", looking up realm NULL
> > > > (2) suffix: No such realm "NULL"
> > > > (2) [suffix] = noop
> > > > (2) eap: Peer sent EAP Response (code 2) ID 4 length 17
> > > > (2) eap: Continuing tunnel setup
> > > > (2) [eap] = ok
> > > > (2) } # authorize = ok
> > > > (2) Found Auth-Type = eap
> > > > (2) # Executing group from file /etc/freeradius/3.0/sites-
> > > enabled/default
> > > > (2) authenticate {
> > > > (2) eap: Expiring EAP session with state 0x68d16d7c69d57498
> > > > (2) eap: Finished EAP session with state 0x68d16d7c69d57498
> > > > (2) eap: Previous EAP request found for state 0x68d16d7c69d57498,
> > > released
> > > > from the list
> > > > (2) eap: Peer sent packet with method EAP PEAP (25)
> > > > (2) eap: Calling submodule eap_peap to process data
> > > > (2) eap_peap: Continuing EAP-TLS
> > > > (2) eap_peap: Peer indicated complete TLS record size will be 7 bytes
> > > > (2) eap_peap: Got complete TLS record (7 bytes)
> > > > (2) eap_peap: [eaptls verify] = length included
> > > > (2) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca
> > > > *(2) eap_peap: ERROR: TLS Alert read:fatal:unknown CA*
> > > > *(2) eap_peap: ERROR: TLS_accept: Failed in unknown state*
> > > > *(2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)*
> > > > *(2) eap_peap: ERROR: error:14094418:SSL
> routines:ssl3_read_bytes:tlsv1
> > > > alert unknown ca*
> > > > *(2) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl
> > > > handshake failure*
> > > > *(2) eap_peap: ERROR: System call (I/O) error (-1)*
> > > > *(2) eap_peap: ERROR: TLS receive handshake failed during operation*
> > > > *(2) eap_peap: ERROR: [eaptls process] = fail*
> > > > *(2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP
> > sub-module
> > > > failed*
> > > > (2) eap: Sending EAP Failure (code 4) ID 4 length 4
> > > > (2) eap: Failed in EAP select
> > > > (2) [eap] = invalid
> > > > (2) } # authenticate = invalid
> > > > (2) Failed to authenticate the user
> > > > (2) Using Post-Auth-Type Reject
> > > > (2) # Executing group from file /etc/freeradius/3.0/sites-
> > > enabled/default
> > > > (2) Post-Auth-Type REJECT {
> > > > (2) attr_filter.access_reject: EXPAND %{User-Name}
> > > > (2) attr_filter.access_reject: --> gpler
> > > > (2) attr_filter.access_reject: Matched entry DEFAULT at line 11
> > > > (2) [attr_filter.access_reject] = updated
> > > > (2) [eap] = noop
> > > > (2) policy remove_reply_message_if_eap {
> > > > (2) if (&reply:EAP-Message && &reply:Reply-Message) {
> > > > (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> > > > (2) else {
> > > > (2) [noop] = noop
> > > > (2) } # else = noop
> > > > (2) } # policy remove_reply_message_if_eap = noop
> > > > (2) } # Post-Auth-Type REJECT = updated
> > > > (2) Delaying response for 1.000000 seconds
> > > > Waking up in 0.3 seconds.
> > > > Waking up in 0.6 seconds.
> > > > (2) Sending delayed response
> > > > (2) Sent Access-Reject Id 62 from 172.29.164.218:1812 to
> > > > 172.30.xxx.x:49431
> > > > length 44
> > > > (2) EAP-Message = 0x04040004
> > > > (2) Message-Authenticator = 0x00000000000000000000000000000000
> > > > Waking up in 3.9 seconds.
> > > > (0) Cleaning up request packet ID 60 with timestamp +628
> > > > (1) Cleaning up request packet ID 61 with timestamp +628
> > > > (2) Cleaning up request packet ID 62 with timestamp +628
> > > >
> > > > -
> > > > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > > > list/users.html
> > > >
> > > -
> > > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > > list/users.html
> > >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
More information about the Freeradius-Users
mailing list