Error, Unknown CA, Creating attributes from [non existent] server certificate

Alan DeKok aland at deployingradius.com
Thu Aug 25 10:41:16 UTC 2022


On Aug 25, 2022, at 5:53 AM, Emile Swarts <emile.swarts123 at gmail.com> wrote:
> \\
> 
> We're using FreeRadius (3.2.0) and successfully authenticating clients over
> EAP-TTLS / Radsec.
> We had one failed authentication yesterday that I am struggling to make
> sense of.
> Verbose logging is enabled so I can see all the details.
> 
> I can see the usual "Creating attributes from server certificate" in the
> authenticate section,
> which then goes on to mention a server certificate (TLS-Cert-Common-Name) that
> I've never heard of, and definitely isn't installed on our FreeRadius
> server.

  The client sends over its entire certificate chain, including all certificates it has,

> The server then sends the following back to the client:
> "send TLS 1.2 Alert, fatal unknown_ca"

  Yes.  The server doesn't know anything about the certificates sent by the client.  So it rejects them.

> I've looked at the C source code but I'm unable to see where this could
> have gotten mixed up, any advice appreciated.
> This has only happened once out of thousands of successful authentications.

 The client has joined your SSID, but is sending a certificate chain for someone else's server.  There's nothing you can do about this on the server side.  The client is doing something wrong.

  You can ignore this.

  Alan DeKok.




More information about the Freeradius-Users mailing list