unknown CA when trying to authenticate

Tyler Montney montneytyler at gmail.com
Mon Feb 22 16:46:08 CET 2021


" What is the user system running?  How does it authenticate?"

Same OS as FreeRadius, running the Unifi Controller. The controller
authenticates wireless users through RADIUS. RADIUS uses LDAP as its user
database.

"Where does it get the certificates from?"

An internal "LetsEncrypt", step-ca.

"The certificate store you edited is used for web authentication, not WiFi."

Yes, but the EAP module is pointing to that store. I don't see how that's
related to web authentication. If I set the LDAP module's "require_cert" to
'demand' (rather than 'allow'), freeradius will refuse to start with a
similar error. It fails to connect over LDAPS.


On Mon, Feb 22, 2021 at 6:06 AM Alan DeKok <aland at deployingradius.com>
wrote:

> On Feb 21, 2021, at 10:57 PM, Tyler Montney <montneytyler at gmail.com>
> wrote:
> >
> > Version 3.0.16, running on Ubuntu 18.04.
> >
> > While running freeradius -X and trying to connect a user (Ubiquiti
> > controller), I see "eap_peap: ERROR: TLS Alert read:fatal:unknown CA".
>
>   What is the user system running?  How does it authenticate?
>
> > /etc/freeradius/3.0/mods-enabled/eap  has its tls-config tls-common
> section
> > like
> >
> > private_key_file = /etc/freeradius/3.0/certs/letsencrypt/privkey.pem
> > certificate_file = /etc/freeradius/3.0/certs/letsencrypt/cert.pem
> > ca_file = /etc/ssl/certs/ca-certificates.crt
>
>   That's good.
>
> > My CA was copied to /usr/local/share/ca-certificates/ and ran
> > dpkg-reconfigure ca-certificates. I then checked ca-certificates.crt and
> > confirmed my CA was appended to the bottom.
>
>   That's not.  You haven't described what you're using to authenticate.
> Where does it get the certificates from?
>
>   The certificate store you edited is used for web authentication, not
> WiFi.
>
>   You need to read the documentation for your system to see how to get
> WiFi authentication working.  This isn't a FreeRADIUS issue.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list