Windows cannot authenticate with Freeradius

Alan DeKok aland at
Fri Sep 1 03:55:56 CEST 2017

On Aug 31, 2017, at 2:58 PM, Matthew Pulis <mpulis at> wrote:
> My Windows clients (Win 7 and Win 10) cannot authenticate with Freeradius
> due to this error:
> routines:ssl3_read_bytes:tlsv1 alert unknown ca

  It means that you didn't put the CA certificate on the Windows machine.

  Go do that, and it will work.

> I have searched a bit around and seems to be a problem with the CA
> certification of the server. Is that correct?

  The CA cert is fine.  The problem is that the Windows machine doesn't have a copy of it, and therefore doesn't trust FreeRADIUS when it says "my server cert is signed with this CA".

> As far as I remember last year it was working, but now that I restarted the
> project and am planning to finalise it, we are getting this error. Maybe
> something happened in Windows environment - for example some update?

  Something which deleted the CA certificate.

  *or* the CA certificate was only valid for 12 months, and it expired.

> I haven't touched Freeradius these past 12 months and I forgot what I did,

  This isn't a FreeRADIUS problem.

  Put the CA cert on the Windows machines, and they will be able to authenticate.

  Alan DeKok.

More information about the Freeradius-Users mailing list