eap_peap: ERROR: TLS Alert read:fatal:unknown CA
L. Rose
lists at lrose.de
Tue Nov 19 19:45:55 CET 2019
Hello everyone,
We've recently upgraded one of our freeradius servers to 3.0.17, the
configuration remains unchanged. Now, whenever a device connects to
WiFi, the authentication fails with:
eap_peap: ERROR: TLS Alert read:fatal:unknown CA
Downgrading freeradius to 3.0.16 fixes the issue, as well as disabling
certificate checking on the client device (but that's obviously not an
option). I've also tried all later versions including 3.0.20, all of
them have this problem. Similarly, all versions 3.0.13 - 3.0.16 are
working successfully.
I was able to rule out the specific git commit which introduces this
problem. #66c66729a51713c8a282b483e3cc76b43a234efa is the last working
version (checked out and built from source).
#595b4ddb9571772322ad2546f0faba91aa32daf1 seems to be the first "faulty"
version.
Any ideas how to fix this issue? I would like to attach the complete
output of freeradius -X, but that contains identifying information
that's hard to strip. But if you need more information, I'll see what I
can do. For now, see the output of freeradius -X for the failing connection.
Is this a bug? I don't think that the behavior of freeradius should
change from 3.0.16 to 3.0.17, especially as the commit message for
#595b4ddb9571772322ad2546f0faba91aa32daf1 only says: "TLS: Allow partial
certificate chain to trusted CA". That doesn't feel like some
functionality was removed, does it?
Thanks in advance,
L. Rose
More information about the Freeradius-Users
mailing list