TLS Alert read:fatal:unknown CA

Stefan Winter stefan.winter at restena.lu
Mon Aug 21 10:02:46 CEST 2017


Hello,

you should also note that doing this manually does not scale at all.
Non-you users without a tech clue will rather tick that insecure box
than jump through the hoops if it's too difficult.

You may want to consider generating automated installers, e.g. check out
https://802.1x-config.org

There used to be a section about 802.1X and secure client-side config on
the old FreeRADIUS website, but I can't find it on the new one right now.

Is that content still there?

Greetings,

Stefan Winter

Am 20.08.2017 um 04:21 schrieb Fatih Naufal:
> I store it in the local machine, i will try to store it in the user store
> then.
> Thanks for the help Alan.
> 
> On Sun, Aug 20, 2017 at 5:51 AM, Alan Buxey <alan.buxey at gmail.com> wrote:
> 
>> No. Not really I wonder if you've installed it in the user store rather
>> than system store or such.
>>
>> alan
>>
>> On 19 Aug 2017 7:43 pm, "Fatih Naufal" <fatih.avila at gmail.com> wrote:
>>
>>> Thanks for the reply Alan and Edelberto,
>>>
>>> I make the certificate based on default cert (/etc/freeradius/certs) and
>>> already install it in the right place (Trusted Root Certification
>>> Authorities), didn't know what happened but when i try to uncheck the
>>> validate server certificate box i can login with no error. Any
>> suggestion?
>>> is it still safe to connect without validate server by validating the
>>> certificates?
>>>
>>> On Sat, Aug 19, 2017 at 11:31 PM, Alan Buxey <alan.buxey at gmail.com>
>> wrote:
>>>
>>>> Hi
>>>>
>>>> How did you install it on the Windows client? Just double clicked and
>>> chose
>>>> default options? You need to make sure you import it into the correct
>>>> certificate store location  eg local computer/trusted CA location.
>>>>
>>>> alan
>>>>
>>>> On 19 Aug 2017 2:26 am, "Fatih Naufal" <fatih.avila at gmail.com> wrote:
>>>>
>>>>> Hi everyone,
>>>>>
>>>>> I already success create 802.1x wireless authentication using
>>> freeradius
>>>>> and ldap, i did a test to every device that i have (iphone and laptop
>>>>> running windows 10 can connect to 802.1x wireless) but when i try to
>>>>> conenct on laptop running windows 7 there's "TLS Alert
>>> read:fatal:unknown
>>>>> CA" error. I already re-create the root CA (i did this following
>>>>> documentation
>>>>> http://deployingradius.com/documents/configuration/certificates.html
>> ),
>>>>> import it to the client, and ensure every detail of the certificate.
>> Is
>>>>> there any bug with windows 7 or something? any kind of help would be
>>>>> appreciated. Thankyou (ca.cnf and server.cnf attached)
>>>>>
>>>>> Radius log :
>>>>> (0) Received Access-Request Id 60 from 172.30.254.3:49431 to
>>>>> 172.29.164.218:1812 length 267
>>>>> (0)   User-Name = "gpler"
>>>>> (0)   Chargeable-User-Identity = 0x03
>>>>> (0)   Location-Capable = Civix-Location
>>>>> (0)   Calling-Station-Id = "6c-71-d9-a9-5e-65"
>>>>> (0)   Called-Station-Id = "58-ac-78-ee-8a-20:802.1x"
>>>>> (0)   NAS-Port = 1
>>>>> (0)   Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759"
>>>>> (0)   Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057"
>>>>> (0)   NAS-IP-Address = 172.30.xxx.x
>>>>> (0)   NAS-Identifier = "IPB-WLC-5520"
>>>>> (0)   Airespace-Wlan-Id = 69
>>>>> (0)   Service-Type = Framed-User
>>>>> (0)   Framed-MTU = 1300
>>>>> (0)   NAS-Port-Type = Wireless-802.11
>>>>> (0)   Tunnel-Type:0 = VLAN
>>>>> (0)   Tunnel-Medium-Type:0 = IEEE-802
>>>>> (0)   Tunnel-Private-Group-Id:0 = "255"
>>>>> (0)   EAP-Message = 0x0202000a0167706c6572
>>>>> (0)   Message-Authenticator = 0x107b01b20e515d3a076209dea9af2966
>>>>> (0) # Executing section authorize from file
>>>>> /etc/freeradius/3.0/sites-enabled/default
>>>>> (0)   authorize {
>>>>> (0)     policy filter_username {
>>>>> (0)       if (&User-Name) {
>>>>> (0)       if (&User-Name)  -> TRUE
>>>>> (0)       if (&User-Name)  {
>>>>> (0)         if (&User-Name =~ /@[^@]*@/ ) {
>>>>> (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>>>>> (0)         if (&User-Name =~ /\.\./ ) {
>>>>> (0)         if (&User-Name =~ /\.\./ )  -> FALSE
>>>>> (0)         if ((&User-Name =~ /@/) && (&User-Name !~
>>> /@(.+)\.(.+)$/))  {
>>>>> (0)         if ((&User-Name =~ /@/) && (&User-Name !~
>> /@(.+)\.(.+)$/))
>>>>  ->
>>>>> FALSE
>>>>> (0)         if (&User-Name =~ /\.$/)  {
>>>>> (0)         if (&User-Name =~ /\.$/)   -> FALSE
>>>>> (0)         if (&User-Name =~ /@\./)  {
>>>>> (0)         if (&User-Name =~ /@\./)   -> FALSE
>>>>> (0)       } # if (&User-Name)  = notfound
>>>>> (0)     } # policy filter_username = notfound
>>>>> (0)     [preprocess] = ok
>>>>> (0)     [chap] = noop
>>>>> (0)     [mschap] = noop
>>>>> (0)     [digest] = noop
>>>>> (0) suffix: Checking for suffix after "@"
>>>>> (0) suffix: No '@' in User-Name = "gpler", looking up realm NULL
>>>>> (0) suffix: No such realm "NULL"
>>>>> (0)     [suffix] = noop
>>>>> (0) eap: Peer sent EAP Response (code 2) ID 2 length 10
>>>>> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit
>> the
>>>>> rest of authorize
>>>>> (0)     [eap] = ok
>>>>> (0)   } # authorize = ok
>>>>> (0) Found Auth-Type = eap
>>>>> (0) # Executing group from file /etc/freeradius/3.0/sites-
>>>> enabled/default
>>>>> (0)   authenticate {
>>>>> (0) eap: Peer sent packet with method EAP Identity (1)
>>>>> (0) eap: Calling submodule eap_peap to process data
>>>>> (0) eap_peap: Initiating new EAP-TLS session
>>>>> (0) eap_peap: [eaptls start] = request
>>>>> (0) eap: Sending EAP Request (code 1) ID 3 length 6
>>>>> (0) eap: EAP session adding &reply:State = 0x68d16d7c68d27498
>>>>> (0)     [eap] = handled
>>>>> (0)   } # authenticate = handled
>>>>> (0) Using Post-Auth-Type Challenge
>>>>> (0) Post-Auth-Type sub-section not found.  Ignoring.
>>>>> (0) # Executing group from file /etc/freeradius/3.0/sites-
>>>> enabled/default
>>>>> (0) Sent Access-Challenge Id 60 from 172.29.164.218:1812 to
>>>>> 172.30.xxx.x:49431 length 0
>>>>> (0)   EAP-Message = 0x010300061920
>>>>> (0)   Message-Authenticator = 0x00000000000000000000000000000000
>>>>> (0)   State = 0x68d16d7c68d27498a8bfbed341c368c9
>>>>> (0) Finished request
>>>>> Waking up in 4.9 seconds.
>>>>> (1) Received Access-Request Id 61 from 172.30.254.3:49431 to
>>>>> 172.29.164.218:1812 length 380
>>>>> (1)   User-Name = "gpler"
>>>>> (1)   Chargeable-User-Identity = 0x03
>>>>> (1)   Location-Capable = Civix-Location
>>>>> (1)   Calling-Station-Id = "6c-71-d9-a9-5e-65"
>>>>> (1)   Called-Station-Id = "58-ac-78-ee-8a-20:802.1x"
>>>>> (1)   NAS-Port = 1
>>>>> (1)   Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759"
>>>>> (1)   Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057"
>>>>> (1)   NAS-IP-Address = 172.30.xxx.x
>>>>> (1)   NAS-Identifier = "IPB-WLC-5520"
>>>>> (1)   Airespace-Wlan-Id = 69
>>>>> (1)   Service-Type = Framed-User
>>>>> (1)   Framed-MTU = 1300
>>>>> (1)   NAS-Port-Type = Wireless-802.11
>>>>> (1)   Tunnel-Type:0 = VLAN
>>>>> (1)   Tunnel-Medium-Type:0 = IEEE-802
>>>>> (1)   Tunnel-Private-Group-Id:0 = "255"
>>>>> (1)   EAP-Message =
>>>>> 0x0203006919800000005f160301005a01000056030159978e892bc0cea1
>>>>> 314b3076e48c1432d22b3a1f575d2bd9ef5eadcd1efab780000018002f00
>>>>> 350005000ac013c014c009c00a003200380013000401000015ff01000100
>>>>> 000a0006000400170018000b00020100
>>>>> (1)   State = 0x68d16d7c68d27498a8bfbed341c368c9
>>>>> (1)   Message-Authenticator = 0x9e55b07936045ad7e26084813251454b
>>>>> (1) session-state: No cached attributes
>>>>> (1) # Executing section authorize from file
>>>>> /etc/freeradius/3.0/sites-enabled/default
>>>>> (1)   authorize {
>>>>> (1)     policy filter_username {
>>>>> (1)       if (&User-Name) {
>>>>> (1)       if (&User-Name)  -> TRUE
>>>>> (1)       if (&User-Name)  {
>>>>> (1)         if (&User-Name =~ /@[^@]*@/ ) {
>>>>> (1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>>>>> (1)         if (&User-Name =~ /\.\./ ) {
>>>>> (1)         if (&User-Name =~ /\.\./ )  -> FALSE
>>>>> (1)         if ((&User-Name =~ /@/) && (&User-Name !~
>>> /@(.+)\.(.+)$/))  {
>>>>> (1)         if ((&User-Name =~ /@/) && (&User-Name !~
>> /@(.+)\.(.+)$/))
>>>>  ->
>>>>> FALSE
>>>>> (1)         if (&User-Name =~ /\.$/)  {
>>>>> (1)         if (&User-Name =~ /\.$/)   -> FALSE
>>>>> (1)         if (&User-Name =~ /@\./)  {
>>>>> (1)         if (&User-Name =~ /@\./)   -> FALSE
>>>>> (1)       } # if (&User-Name)  = notfound
>>>>> (1)     } # policy filter_username = notfound
>>>>> (1)     [preprocess] = ok
>>>>> (1)     [chap] = noop
>>>>> (1)     [mschap] = noop
>>>>> (1)     [digest] = noop
>>>>> (1) suffix: Checking for suffix after "@"
>>>>> (1) suffix: No '@' in User-Name = "gpler", looking up realm NULL
>>>>> (1) suffix: No such realm "NULL"
>>>>> (1)     [suffix] = noop
>>>>> (1) eap: Peer sent EAP Response (code 2) ID 3 length 105
>>>>> (1) eap: Continuing tunnel setup
>>>>> (1)     [eap] = ok
>>>>> (1)   } # authorize = ok
>>>>> (1) Found Auth-Type = eap
>>>>> (1) # Executing group from file /etc/freeradius/3.0/sites-
>>>> enabled/default
>>>>> (1)   authenticate {
>>>>> (1) eap: Expiring EAP session with state 0x68d16d7c68d27498
>>>>> (1) eap: Finished EAP session with state 0x68d16d7c68d27498
>>>>> (1) eap: Previous EAP request found for state 0x68d16d7c68d27498,
>>>> released
>>>>> from the list
>>>>> (1) eap: Peer sent packet with method EAP PEAP (25)
>>>>> (1) eap: Calling submodule eap_peap to process data
>>>>> (1) eap_peap: Continuing EAP-TLS
>>>>> (1) eap_peap: Peer indicated complete TLS record size will be 95
>> bytes
>>>>> (1) eap_peap: Got complete TLS record (95 bytes)
>>>>> (1) eap_peap: [eaptls verify] = length included
>>>>> (1) eap_peap: (other): before/accept initialization
>>>>> (1) eap_peap: TLS_accept: before/accept initialization
>>>>> (1) eap_peap: <<< recv TLS 1.0 Handshake [length 005a], ClientHello
>>>>> (1) eap_peap: TLS_accept: unknown state
>>>>> (1) eap_peap: >>> send TLS 1.0 Handshake [length 0031], ServerHello
>>>>> (1) eap_peap: TLS_accept: unknown state
>>>>> (1) eap_peap: >>> send TLS 1.0 Handshake [length 02c0], Certificate
>>>>> (1) eap_peap: TLS_accept: unknown state
>>>>> (1) eap_peap: >>> send TLS 1.0 Handshake [length 0004],
>> ServerHelloDone
>>>>> (1) eap_peap: TLS_accept: unknown state
>>>>> (1) eap_peap: TLS_accept: unknown state
>>>>> (1) eap_peap: TLS_accept: unknown state
>>>>> (1) eap_peap: TLS_accept: Need to read more data: unknown state
>>>>> (1) eap_peap: TLS_accept: Need to read more data: unknown state
>>>>> (1) eap_peap: In SSL Handshake Phase
>>>>> (1) eap_peap: In SSL Accept mode
>>>>> (1) eap_peap: [eaptls process] = handled
>>>>> (1) eap: Sending EAP Request (code 1) ID 4 length 778
>>>>> (1) eap: EAP session adding &reply:State = 0x68d16d7c69d57498
>>>>> (1)     [eap] = handled
>>>>> (1)   } # authenticate = handled
>>>>> (1) Using Post-Auth-Type Challenge
>>>>> (1) Post-Auth-Type sub-section not found.  Ignoring.
>>>>> (1) # Executing group from file /etc/freeradius/3.0/sites-
>>>> enabled/default
>>>>> (1) Sent Access-Challenge Id 61 from 172.29.164.218:1812 to
>>>>> 172.30.xxx.x:49431 length 0
>>>>> (1)   EAP-Message =
>>>>> 0x0104030a190016030100310200002d03016e22346727c2b7bfd58d3b5b
>>>>> d06acbc17fa96d02f7937abfe946a411c305079800002f000005ff010001
>>>>> 0016030102c00b0002bc0002b90002b6308202b23082019aa00302010202
>>>>> 0900e889295aaea3149d300d06092a864886f70d01010b05003011310f30
>>>>> (1)   Message-Authenticator = 0x00000000000000000000000000000000
>>>>> (1)   State = 0x68d16d7c69d57498a8bfbed341c368c9
>>>>> (1) Finished request
>>>>> Waking up in 4.9 seconds.
>>>>> (2) Received Access-Request Id 62 from 172.30.xxx.x:49431 to
>>>>> 172.29.164.218:1812 length 292
>>>>> (2)   User-Name = "gpler"
>>>>> (2)   Chargeable-User-Identity = 0x03
>>>>> (2)   Location-Capable = Civix-Location
>>>>> (2)   Calling-Station-Id = "6c-71-d9-a9-5e-65"
>>>>> (2)   Called-Station-Id = "58-ac-78-ee-8a-20:802.1x"
>>>>> (2)   NAS-Port = 1
>>>>> (2)   Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759"
>>>>> (2)   Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057"
>>>>> (2)   NAS-IP-Address = 172.30.xxx.x
>>>>> (2)   NAS-Identifier = "IPB-WLC-5520"
>>>>> (2)   Airespace-Wlan-Id = 69
>>>>> (2)   Service-Type = Framed-User
>>>>> (2)   Framed-MTU = 1300
>>>>> (2)   NAS-Port-Type = Wireless-802.11
>>>>> (2)   Tunnel-Type:0 = VLAN
>>>>> (2)   Tunnel-Medium-Type:0 = IEEE-802
>>>>> (2)   Tunnel-Private-Group-Id:0 = "255"
>>>>> (2)   EAP-Message = 0x0204001119800000000715030100020230
>>>>> (2)   State = 0x68d16d7c69d57498a8bfbed341c368c9
>>>>> (2)   Message-Authenticator = 0xfd97ab9dc41ef3ae771c43ad2daa9331
>>>>> (2) session-state: No cached attributes
>>>>> (2) # Executing section authorize from file
>>>>> /etc/freeradius/3.0/sites-enabled/default
>>>>> (2)   authorize {
>>>>> (2)     policy filter_username {
>>>>> (2)       if (&User-Name) {
>>>>> (2)       if (&User-Name)  -> TRUE
>>>>> (2)       if (&User-Name)  {
>>>>> (2)         if (&User-Name =~ /@[^@]*@/ ) {
>>>>> (2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>>>>> (2)         if (&User-Name =~ /\.\./ ) {
>>>>> (2)         if (&User-Name =~ /\.\./ )  -> FALSE
>>>>> (2)         if ((&User-Name =~ /@/) && (&User-Name !~
>>> /@(.+)\.(.+)$/))  {
>>>>> (2)         if ((&User-Name =~ /@/) && (&User-Name !~
>> /@(.+)\.(.+)$/))
>>>>  ->
>>>>> FALSE
>>>>> (2)         if (&User-Name =~ /\.$/)  {
>>>>> (2)         if (&User-Name =~ /\.$/)   -> FALSE
>>>>> (2)         if (&User-Name =~ /@\./)  {
>>>>> (2)         if (&User-Name =~ /@\./)   -> FALSE
>>>>> (2)       } # if (&User-Name)  = notfound
>>>>> (2)     } # policy filter_username = notfound
>>>>> (2)     [preprocess] = ok
>>>>> (2)     [chap] = noop
>>>>> (2)     [mschap] = noop
>>>>> (2)     [digest] = noop
>>>>> (2) suffix: Checking for suffix after "@"
>>>>> (2) suffix: No '@' in User-Name = "gpler", looking up realm NULL
>>>>> (2) suffix: No such realm "NULL"
>>>>> (2)     [suffix] = noop
>>>>> (2) eap: Peer sent EAP Response (code 2) ID 4 length 17
>>>>> (2) eap: Continuing tunnel setup
>>>>> (2)     [eap] = ok
>>>>> (2)   } # authorize = ok
>>>>> (2) Found Auth-Type = eap
>>>>> (2) # Executing group from file /etc/freeradius/3.0/sites-
>>>> enabled/default
>>>>> (2)   authenticate {
>>>>> (2) eap: Expiring EAP session with state 0x68d16d7c69d57498
>>>>> (2) eap: Finished EAP session with state 0x68d16d7c69d57498
>>>>> (2) eap: Previous EAP request found for state 0x68d16d7c69d57498,
>>>> released
>>>>> from the list
>>>>> (2) eap: Peer sent packet with method EAP PEAP (25)
>>>>> (2) eap: Calling submodule eap_peap to process data
>>>>> (2) eap_peap: Continuing EAP-TLS
>>>>> (2) eap_peap: Peer indicated complete TLS record size will be 7 bytes
>>>>> (2) eap_peap: Got complete TLS record (7 bytes)
>>>>> (2) eap_peap: [eaptls verify] = length included
>>>>> (2) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca
>>>>> *(2) eap_peap: ERROR: TLS Alert read:fatal:unknown CA*
>>>>> *(2) eap_peap: ERROR: TLS_accept: Failed in unknown state*
>>>>> *(2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)*
>>>>> *(2) eap_peap: ERROR: error:14094418:SSL
>> routines:ssl3_read_bytes:tlsv1
>>>>> alert unknown ca*
>>>>> *(2) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl
>>>>> handshake failure*
>>>>> *(2) eap_peap: ERROR: System call (I/O) error (-1)*
>>>>> *(2) eap_peap: ERROR: TLS receive handshake failed during operation*
>>>>> *(2) eap_peap: ERROR: [eaptls process] = fail*
>>>>> *(2) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP
>>> sub-module
>>>>> failed*
>>>>> (2) eap: Sending EAP Failure (code 4) ID 4 length 4
>>>>> (2) eap: Failed in EAP select
>>>>> (2)     [eap] = invalid
>>>>> (2)   } # authenticate = invalid
>>>>> (2) Failed to authenticate the user
>>>>> (2) Using Post-Auth-Type Reject
>>>>> (2) # Executing group from file /etc/freeradius/3.0/sites-
>>>> enabled/default
>>>>> (2)   Post-Auth-Type REJECT {
>>>>> (2) attr_filter.access_reject: EXPAND %{User-Name}
>>>>> (2) attr_filter.access_reject:    --> gpler
>>>>> (2) attr_filter.access_reject: Matched entry DEFAULT at line 11
>>>>> (2)     [attr_filter.access_reject] = updated
>>>>> (2)     [eap] = noop
>>>>> (2)     policy remove_reply_message_if_eap {
>>>>> (2)       if (&reply:EAP-Message && &reply:Reply-Message) {
>>>>> (2)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
>>>>> (2)       else {
>>>>> (2)         [noop] = noop
>>>>> (2)       } # else = noop
>>>>> (2)     } # policy remove_reply_message_if_eap = noop
>>>>> (2)   } # Post-Auth-Type REJECT = updated
>>>>> (2) Delaying response for 1.000000 seconds
>>>>> Waking up in 0.3 seconds.
>>>>> Waking up in 0.6 seconds.
>>>>> (2) Sending delayed response
>>>>> (2) Sent Access-Reject Id 62 from 172.29.164.218:1812 to
>>>>> 172.30.xxx.x:49431
>>>>> length 44
>>>>> (2)   EAP-Message = 0x04040004
>>>>> (2)   Message-Authenticator = 0x00000000000000000000000000000000
>>>>> Waking up in 3.9 seconds.
>>>>> (0) Cleaning up request packet ID 60 with timestamp +628
>>>>> (1) Cleaning up request packet ID 61 with timestamp +628
>>>>> (2) Cleaning up request packet ID 62 with timestamp +628
>>>>>
>>>>> -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>>> list/users.html
>>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>> list/users.html
>>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>> list/users.html
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170821/6d5b9084/attachment-0001.sig>


More information about the Freeradius-Users mailing list