EAP failure when using production certificates
Alan DeKok
aland at deployingradius.com
Wed Feb 9 20:43:29 UTC 2022
On Feb 9, 2022, at 3:29 PM, Wayne Fillmer via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> I am attempting to setup a freeRADIUS server in a lab environment on Ubuntu 18.04. This server is used to test a WPA supplicant implementation on a piece of portable hardware. I feel reasonably confident the supplicant and nas (Cisco 2950) are configured correctly. I am very much unfamiliar with freeradius - that means I could get pretty far using the available documentation until I ran into trouble. Now I have no idea what to do.
>
> Everything seems to be working according to the guide up until making production certs. I have performed eapol_test tests using the snakeoil certs.
>
> Note: I have created the user "bob" and still have the pwd "hello" at the top of my "users" file. I am using user "bob" and pwd: "hello" when I attempt to connect from the supplicant
>
> When I create production certs (deployingradius.com instructions) and attempt to authenticate I see the following error (log is followed by excerpts of my .cnf files):\\
You didn't install the correct CA on the supplicant.
> (9) eap_peap: <<< recv TLS 1.2 [length 0002]
> (9) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
> (9) eap_peap: TLS_accept: Need to read more data: error
> (9) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
The supplicant sent a TLS error to FreeRADIUS, saying "I don't know the CA used to sign your server certificate, so I don't trust you, and I won't talk to you".
Install the production CA on the supplicant.
Alan DeKok.
More information about the Freeradius-Users
mailing list