eap_peap: TLS Alert read:fatal:unknown CA

Alan DeKok aland at deployingradius.com
Fri Sep 15 01:26:17 CEST 2017

On Sep 14, 2017, at 2:53 PM, Nicolás Guerra <ngr at vera.com.uy> wrote:
> that did the trick! thank you a lot! 

  You're welcome.

> I copied ca.pem from freeradius server to the client's /etc/ssl/certs/ directory. 
> is this the correct place to place the ca.pem file? 

  If it works...

  TBH, there are just too many different client systems for us to know how to configure all of them.

> I was confused because cellphones (Android, IPhones and Windows phones), and windows notebooks worked fine without the ca.pem 

  They don't.  You had to accept it manually.  Which isn't recommended.

> any idea how can I config my Linux distro to conect without ca.pem? 

  You don't.  You provision the CA certificate to them via some other method.  e.g. administrator intervention.

  And yes, this is a PITA.  There is no standard way to put WiFi / CA configuration onto a system.  And none of the vendors care that it' s a problem.

  Alan DeKok.

More information about the Freeradius-Users mailing list