After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate

Alan DeKok aland at
Sun Dec 17 13:30:48 CET 2017

On Dec 17, 2017, at 4:44 AM, Gladewitz, Robert via Freeradius-Users <freeradius-users at> wrote:
> thank you for your answere. The problem only happening on Cisco CAPF Certificates, which will be created by cisco callmanager self for all ip phones. All other authentification (Windows client, WPA etc.) in our enviroment working fine. 

  That is unusual.  I've never seen that before.

> But on cisco call manager/CUCM, there is no option that can change the certificate attributes. 
> Also interess is, that the openssl verify is working fine! 

  As I said already... OpenSSL doesn't check the extended attributes.  It verifies that the certificates are properly formatted, and contain the right signatures.  It *doesn't* check (for example) that the "commonName" field is a properly formatted email address.  There are many, many, things that "openssl verify" doesn't check.

> Ist there may a possebility to skip the internal certificate check and use only an external cammand (like verify -> client)?  For me it will be ok without any certificate check also. But i need eap-tls for set the voice vlan.

  There's nothing in FreeRADIUS which checks for certificate extensions.  So this error is either coming from the client, or from OpenSSL.

  Alan DeKok.

More information about the Freeradius-Users mailing list