eap_peap: TLS Alert read:fatal:unknown CA

Thu Sep 14 20:12:49 CEST 2017

Hello everybody, 
I didn't find a thread with exactly my problem, so I start a new thread. 

I'm having problem with new certs in my freeradius server. 

I did what README file but didn't work for me. 

in radiusd -X log I see this: 

(14) Received Access-Request Id 143 from 192.168.100.149:43928 to 10.0.130.23:1812 length 343 
(14) User-Name = "usuario" 
(14) Called-Station-Id = "C4-E9-84-91-2E-FE:OpenWrt" 
(14) NAS-Port-Type = Wireless-802.11 
(14) NAS-Port = 1 
(14) Calling-Station-Id = "28-56-5A-0B-6D-83" 
(14) Connect-Info = "CONNECT 54Mbps 802.11g" 
(14) Acct-Session-Id = "59BA907E-00000018" 
(14) WLAN-Pairwise-Cipher = 1027076 
(14) WLAN-Group-Cipher = 1027076 
(14) WLAN-AKM-Suite = 1027073 
(14) Framed-MTU = 1400 
(14) EAP-Message = 0x02e70090198000000086160301004610000042410492d1ad5ac120e777664ce20c7c650f4e41bc63a2eca81c1dbe4823c38737e4b81569bf9ec7f238534875e6f5b1525501127a1b9d59f780572d294986bb2f82091403010001011603010030d0e814aba78d0c8affc8aca00d5577364bcf5880d8616f 
(14) State = 0x64dfe0536738f990f317a982d66da244 
(14) Message-Authenticator = 0x5340ff52aba979858d1a8e7d661ac258 
(14) session-state: No cached attributes 
(14) # Executing section authorize from file /etc/raddb/sites-enabled/default 
(14) authorize { 
(14) policy filter_username { 
(14) if (!&User-Name) { 
(14) if (!&User-Name) -> FALSE 
(14) if (&User-Name =~ / /) { 
(14) if (&User-Name =~ / /) -> FALSE 
(14) if (&User-Name =~ /@.*@/ ) { 
(14) if (&User-Name =~ /@.*@/ ) -> FALSE 
(14) if (&User-Name =~ /\.\./ ) { 
(14) if (&User-Name =~ /\.\./ ) -> FALSE 
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { 
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE 
(14) if (&User-Name =~ /\.$/) { 
(14) if (&User-Name =~ /\.$/) -> FALSE 
(14) if (&User-Name =~ /@\./) { 
(14) if (&User-Name =~ /@\./) -> FALSE 
(14) } # policy filter_username = notfound 
(14) [preprocess] = ok 
(14) [chap] = noop 
(14) [mschap] = noop 
(14) [digest] = noop 
(14) suffix: Checking for suffix after "@" 
(14) suffix: No '@' in User-Name = "usuario", looking up realm NULL 
(14) suffix: No such realm "NULL" 
(14) [suffix] = noop 
(14) eap: Peer sent EAP Response (code 2) ID 231 length 144 
(14) eap: Continuing tunnel setup 
(14) [eap] = ok 
(14) } # authorize = ok 
(14) Found Auth-Type = eap 
(14) # Executing group from file /etc/raddb/sites-enabled/default 
(14) authenticate { 
(14) eap: Expiring EAP session with state 0x64dfe0536738f990 
(14) eap: Finished EAP session with state 0x64dfe0536738f990 
(14) eap: Previous EAP request found for state 0x64dfe0536738f990, released from the list 
(14) eap: Peer sent packet with method EAP PEAP (25) 
(14) eap: Calling submodule eap_peap to process data 
(14) eap_peap: Continuing EAP-TLS 
(14) eap_peap: Peer indicated complete TLS record size will be 134 bytes 
(14) eap_peap: Got complete TLS record (134 bytes) 
(14) eap_peap: [eaptls verify] = length included 
(14) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange 
(14) eap_peap: TLS_accept: SSLv3 read client key exchange A 
(14) eap_peap: TLS_accept: SSLv3 read certificate verify A 
(14) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001] 
(14) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished 
(14) eap_peap: TLS_accept: SSLv3 read finished A 
(14) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001] 
(14) eap_peap: TLS_accept: SSLv3 write change cipher spec A 
(14) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished 
(14) eap_peap: TLS_accept: SSLv3 write finished A 
(14) eap_peap: TLS_accept: SSLv3 flush data 
(14) eap_peap: (other): SSL negotiation finished successfully 
(14) eap_peap: SSL Connection Established 
(14) eap_peap: [eaptls process] = handled 
(14) eap: Sending EAP Request (code 1) ID 232 length 65 
(14) eap: EAP session adding &reply:State = 0x64dfe0536037f990 
(14) [eap] = handled 
(14) } # authenticate = handled 
(14) Using Post-Auth-Type Challenge 
(14) Post-Auth-Type sub-section not found. Ignoring. 
(14) # Executing group from file /etc/raddb/sites-enabled/default 
(14) Sent Access-Challenge Id 143 from 10.0.130.23:1812 to 192.168.100.149:43928 length 0 
(14) EAP-Message = 0x01e80041190014030100010116030100307ed7fccb2ae6411aaf4df33748b8b02954729256ddd506ace2d362f9cd28c4e05489136e8cbd84abb28b3d0921f1300a 
(14) Message-Authenticator = 0x00000000000000000000000000000000 
(14) State = 0x64dfe0536037f990f317a982d66da244 
(14) Finished request 

(14) Cleaning up request packet ID 143 with timestamp +187 
Ready to process requests 

up to here, everything seems right. 
but when I start service, in service log I see this: 

Thu Sep 14 14:09:13 2017 : ERROR: (4) eap_peap: ERROR: TLS Alert read:fatal:unknown CA 
Thu Sep 14 14:09:13 2017 : ERROR: (4) eap_peap: ERROR: TLS_accept: Failed in SSLv3 read client key exchange A 
Thu Sep 14 14:09:13 2017 : ERROR: (4) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read) 
Thu Sep 14 14:09:13 2017 : Auth: (4) Login incorrect (eap_peap: TLS Alert read:fatal:unknown CA): [usuario] (from client wrtnicolas.fder port 1 cli 28-56-5A-0B-6D-83) 

any help will be wellcome. 

saludos/greetings 

Nicolás. 