eap_peap: ERROR: (TLS) Alert read:fatal:unknown CA

Dario Barbon dbarbon at olicom.eu
Fri Jan 5 13:57:59 UTC 2024 

Hi all, I'm trying to configure Freeradius (version 3.2.3 on Ubuntu 
22.04) to perform either EAP-TLS and EAP-PEAP MSCHAPv2. I need MSCHAPv2 
as alternative configuration for Android 11 devices because we are 
experiencing the deletion of client certificates and I'm not understand 
why this issue happens.

The EAP-TLS configuration works fine with self signed CA and client 
certs signed by our private CA (except for Android 11 devices as I said).

Below are the logs when I try to connect to Freeradius using MSCHAPv2 (I 
enabled "bob" user):

(6) Received Access-Request Id 194 from 172.31.190.2:32773 to 
172.31.189.84:1812 length 291
(6)   User-Name = "bob"
(6)   Chargeable-User-Identity = 0x00
(6)   Location-Capable = Civic-Location
(6)   Calling-Station-Id = "9a-8b-7b-d9-b0-cd"
(6)   Called-Station-Id = "04-5f-b9-81-69-80:PIT_Tag"
(6)   NAS-Port = 1
(6)   Cisco-AVPair = "audit-session-id=ac1fc7020000006765980031"
(6)   Acct-Session-Id = "65980031/9a:8b:7b:d9:b0:cd/108"
(6)   NAS-IP-Address = 172.31.190.2
(6)   NAS-Identifier = "Cisco_b8:24:65"
(6)   Airespace-Wlan-Id = 2
(6)   Service-Type = Framed-User
(6)   Framed-MTU = 1300
(6)   NAS-Port-Type = Wireless-802.11
(6)   Tunnel-Type:0 = VLAN
(6)   Tunnel-Medium-Type:0 = IEEE-802
(6)   Tunnel-Private-Group-Id:0 = "190"
(6)   EAP-Message = 0x0207001119800000000715030300020230
(6)   State = 0xc9ea21cfcced38f11a447042a250057a
(6)   Message-Authenticator = 0xc33e5f6f8276b61b9ab132b4687b2bdb
(6) Restoring &session-state
(6)   &session-state:Framed-MTU = 994
(6)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 
Handshake, ClientHello"
(6)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 
Handshake, ServerHello"
(6)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 
Handshake, Certificate"
(6)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 
Handshake, ServerKeyExchange"
(6)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 
Handshake, ServerHelloDone"
(6) # Executing section authorize from file 
/etc/freeradius/sites-enabled/tlcamb-tag
(6)   authorize {
(6)     [preprocess] = ok
(6) eap: Peer sent EAP Response (code 2) ID 7 length 17
(6) eap: Continuing tunnel setup
(6)     [eap] = ok
(6)   } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag
(6)   authenticate {
(6) eap: Expiring EAP session with state 0xc9ea21cfcced38f1
(6) eap: Finished EAP session with state 0xc9ea21cfcced38f1
(6) eap: Previous EAP request found for state 0xc9ea21cfcced38f1, 
released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: (TLS) EAP Peer says that the final record size will be 7 bytes
(6) eap_peap: (TLS) EAP Got all data (7 bytes)
(6) eap_peap: (TLS) recv TLS 1.2 Alert, fatal unknown_ca
(6) eap_peap: (TLS) The client is informing us that it does not 
recognize the CA used to issue the server certificate.  Please update 
the client so that it knows about the CA.
(6) eap_peap: ERROR: (TLS) Alert read:fatal:unknown CA
tls: Removing session 
f3cdb8967121c0da520898ab8e5f39f803d24f44133c7ba63a4cbfb0ea161412 from 
the cache
tls: Could not remove persisted session file 
/var/log/freeradius/tlscache/f3cdb8967121c0da520898ab8e5f39f803d24f44133c7ba63a4cbfb0ea161412.asn1: 
Permission denied
(6) eap_peap: (TLS) Server : Need to read more data: error
(6) eap_peap: ERROR: (TLS) Failed reading from OpenSSL: 
error:0A000418:SSL routines::tlsv1 alert unknown ca
(6) eap_peap: (TLS) In Handshake Phase
(6) eap_peap: (TLS) Application data.
(6) eap_peap: ERROR: (TLS) Cannot continue, as the peer is misbehaving.
(6) eap_peap: ERROR: [eaptls process] = fail
(6) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module 
failed
(6) eap: Sending EAP Failure (code 4) ID 7 length 4
(6) eap: Failed in EAP select
(6)     [eap] = invalid
(6)   } # authenticate = invalid
(6) Failed to authenticate the user
(6) Using Post-Auth-Type Reject
(6) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag
(6)   Post-Auth-Type REJECT {
(6) attr_filter.access_reject: EXPAND %{User-Name}
(6) attr_filter.access_reject:    --> bob
(6) attr_filter.access_reject: Matched entry DEFAULT at line 11
(6)     [attr_filter.access_reject] = updated
(6)   } # Post-Auth-Type REJECT = updated
(6) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(6) Sending delayed response
(6) Sent Access-Reject Id 194 from 172.31.189.84:1812 to 
172.31.190.2:32773 length 44
(6)   EAP-Message = 0x04070004
(6)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 188 with timestamp +10 due to 
cleanup_delay was reached
(1) Cleaning up request packet ID 189 with timestamp +10 due to 
cleanup_delay was reached
(2) Cleaning up request packet ID 190 with timestamp +10 due to 
cleanup_delay was reached
(3) Cleaning up request packet ID 191 with timestamp +10 due to 
cleanup_delay was reached
(4) Cleaning up request packet ID 192 with timestamp +10 due to 
cleanup_delay was reached
(5) Cleaning up request packet ID 193 with timestamp +10 due to 
cleanup_delay was reached
(6) Cleaning up request packet ID 194 with timestamp +10 due to 
cleanup_delay was reached
Ready to process requests

Thanks and best regards.

Dario Barbon

More information about the Freeradius-Users mailing list