AW: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate

Gladewitz, Robert Robert.Gladewitz at
Sun Dec 17 10:44:13 CET 2017

Hallo Alan,

thank you for your answere. The problem only happening on Cisco CAPF Certificates, which will be created by cisco callmanager self for all ip phones. All other authentification (Windows client, WPA etc.) in our enviroment working fine. 

But on cisco call manager/CUCM, there is no option that can change the certificate attributes. 

Also interess is, that the openssl verify is working fine! 

Ist there may a possebility to skip the internal certificate check and use only an external cammand (like verify -> client)?  For me it will be ok without any certificate check also. But i need eap-tls for set the voice vlan.



-----Urspr√ľngliche Nachricht-----
Von: Alan DeKok [mailto:aland at] 
Gesendet: Samstag, 16. Dezember 2017 20:37
An: Gladewitz, Robert <Robert.Gladewitz at>; FreeRadius users mailing list <freeradius-users at>
Betreff: Re: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate 

On Dec 15, 2017, at 1:28 PM, Gladewitz, Robert via Freeradius-Users <freeradius-users at> wrote:
> after update to version 3 we get the followong error on module eap-tls:

  It's not just FreeRADIUS that's been updated.  But also OpenSSL.  Which implements the TLS portion of EAP-TLS.

> (59) eap_tls:   ERROR: SSL says error 26 : unsupported certificate purpose

  The certificates don't have the extended key usage OIDs.  Windows needs them.

  The certs created by the scripts included with FreeRADIUS work.

> In do not understand, why i get this error. If i use manually openssl 
> verify all seems ok.

  OpenSSL doesn't verify the extended key usage fields.

> In some discusion i find out, that some think is wron with the 
> extendet attributes. But in this case, why it is working fine in 
> freeradius 2 and 1 implemtations.

  No idea.

  But you didn't create the certificates correctly.

  You'll need to regenerate the certs with the correct information.  Use the scripts in the raddb/certs/ directory.

  Alan DeKok.

More information about the Freeradius-Users mailing list