AW: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate

Gladewitz, Robert Robert.Gladewitz at
Thu Dec 21 11:50:45 CET 2017


i can not export an new ca infrastructure on one time, because it will be have to many phone clients, there lost the connection!.

My Idea is, that we ignore all client certificates (server certificate sending will be ok) for the time we published the new certificates on all cisco clients. 

At the moment, i configures Auth-Type = eap8021xciscophone in my database and eap8021xciscophone is configured as ttls including this wrong ca infrastructure. 

So, on which part I can send the accept to the switch, without check the client certificate and ca?? The autorize prozess is correctly done.


-----Ursprüngliche Nachricht-----
Von: Stefan Winter [mailto:stefan.winter at] 
Gesendet: Donnerstag, 21. Dezember 2017 11:08
An: Gladewitz, Robert <Robert.Gladewitz at>; FreeRadius users mailing list <freeradius-users at>
Betreff: Re: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate


> is there a possible way, to ignore all certificates in ttls and send an accept??

paraphrased, you ask "Is there a way to throw overboard all security, and to make my users susceptible to MITM attacks?"

Surprisingly, the answer is "Yes, that's the default behaviour." A non-configured supplicant will typically accept all certificates thrown at it, at best with a UI question like "Do you think that cert is okay?"

That's a client-side problem though - FreeRADIUS always needs to *send* a server certificate.


Stefan Winter

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6245 bytes
Desc: not available
URL: <>

More information about the Freeradius-Users mailing list