unknown CA when trying to authenticate

Carsten Schulze carsten.schulze at leuphana.de
Mon Feb 22 18:06:08 CET 2021 

Hi,

I have the same problem, with different devices no connection and all 
with "unknown CA error". I googled a little bit and finde the 
"eapol_test", but the freeradius doku is outdatetd.

In Short, mybe it might help.
----

wget http://w1.fi/releases/wpa_supplicant-2.9.tar.gz
make eapol_test
cat ttls-eap-mschapv2.conf
#
#   eapol_test -c ttls-eap-mschapv2.conf -s testing123
#
network={
         ssid="example"
         key_mgmt=WPA-EAP
         eap=TTLS
         identity="UIDr"
         anonymous_identity="anonymous"
         password="PASSWORD"
         phase2="autheap=MSCHAPV2"

         #
         #  Uncomment the following to perform server certificate 
validation.
         ca_cert="/etc/freeradius/3.0/certs/ca-gen2.pem"
}
Run it:
./eapol_test -c ttls-eap-mschapv2.conf -s testing123

Eaptool-log
---cut
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1  mismatch: 0
SUCCESS

//Freeradius-Log
Login OK: [UID] (from client localhost port 0 cli 02-00-00-00-00-01 via 
TLS tunnel)

I have no idea what the problem might be.

The ca-cert chain contains the "ROOT-CA" -> "Intermediate-CA" -> 
"Local-CA", is this correct? Do I need the complete chain on the device 
(Android/Windows)?

Please let me know if you find out anything.

Regards
Carsten

Am 22.02.2021 um 17:22 schrieb Tyler Montney:
> "That really isn't answering my question. Do the users have access to the
> shell on the Unifi controller?  Or are the users trying to gain network
> access via WiFi? If it's the second one, then again... what is the user
> system running?  How did you configure it?"
>
> For instance, a Windows client trying to connect to a WiFi network. It
> tries to connect, is prompted for a username and password, then says "Can't
> connect to this network". (Simultaneously, I have "freeradius -X" running,
> where I see the CA error.)
>
> "You configured the end-user system to use WiFi."
>
> The only thing I have done on the end user system is import the root CA.
>
> "There is existing documentation which tells you how to configure WiFi."
>
> Please verify which documentation you're referring to, so that I know we're
> on the same page.
>
> On Mon, Feb 22, 2021 at 10:05 AM Alan DeKok <aland at deployingradius.com>
> wrote:
>
>> On Feb 22, 2021, at 10:46 AM, Tyler Montney <montneytyler at gmail.com>
>> wrote:
>>> " What is the user system running?  How does it authenticate?"
>>>
>>> Same OS as FreeRadius, running the Unifi Controller. The controller
>>> authenticates wireless users through RADIUS. RADIUS uses LDAP as its user
>>> database.
>>    That really isn't answering my question.
>>
>>    Do the users have access to the shell on the Unifi controller?  Or are
>> the users trying to gain network access via WiFi?
>>
>>    If it's the second one, then again... what is the user system running?
>> How did you configure it?
>>
>>> "Where does it get the certificates from?"
>>>
>>> An internal "LetsEncrypt", step-ca.
>>    That is also not answering my question.  You configured the end-user
>> system to use WiFi.  As part of that process, you either did (or didn't)
>> configure names, EAP type, certificates, etc.
>>
>>    So... did you do that?  If so, what did you do?
>>
>>> "The certificate store you edited is used for web authentication, not
>> WiFi."
>>> Yes, but the EAP module is pointing to that store. I don't see how that's
>>> related to web authentication.
>>    In most systems, the default certificate stores are different for Web
>> and for EAP.  You do NOT want to use the same certificate store for both.
>>
>>> If I set the LDAP module's "require_cert" to
>>> 'demand' (rather than 'allow'), freeradius will refuse to start with a
>>> similar error. It fails to connect over LDAPS.
>>    At this point, it's not at all clear what you're doing, or why.
>>
>>    You aren't configuring FreeRADIUS using the normal process of putting
>> the certs into raddb/certs.  You aren't following any of the available "how
>> to" guides for configuring FreeRADIUS, or EAP, or WiFi.
>>
>>    There is existing documentation which tells you how to configure WiFi.
>> Please follow it.
>>
>>    And please also understand that *end user* systems are different than
>> the Unifi controller, where you configure FreeRADIUS.  Those end-user
>> systems also need to be configured correctly for EAP / WiFi.  It looks very
>> much like you haven't done that.
>>
>>    Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5344 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20210222/10b65dad/attachment.bin>

More information about the Freeradius-Users mailing list