eap_peap: ERROR: (TLS) Alert read:fatal:unknown CA

[Alan DeKok]

On Jan 5, 2024, at 8:57 AM, Dario Barbon <dbarbon at olicom.eu> wrote:
> 
> Hi all, I'm trying to configure Freeradius (version 3.2.3 on Ubuntu 22.04) to perform either EAP-TLS and EAP-PEAP MSCHAPv2. I need MSCHAPv2 as alternative configuration for Android 11 devices because we are experiencing the deletion of client certificates and I'm not understand why this issue happens.

  I'm not sure what you mean by "deletion of client certificates".  FreeRADIUS doesn't delete certificate.  Use devices don't delete certificates.  My guess is something else is going wrong.

> The EAP-TLS configuration works fine with self signed CA and client certs signed by our private CA (except for Android 11 devices as I said).

  But it doesn't work with *what* kind of certificates?  You're not saying.

  If you want to get help with something going wrong, it's usually good to explain what you were doing, and what went wrong.  It doesn't help to say "I did a bunch of things which worked, but I'm not going to explain what I did when things didn't work".

> Below are the logs when I try to connect to Freeradius using MSCHAPv2 (I enabled "bob" user):

> (6) eap_peap: (TLS) recv TLS 1.2 Alert, fatal unknown_ca
> (6) eap_peap: (TLS) The client is informing us that it does not recognize the CA used to issue the server certificate.  Please update the client so that it knows about the CA.

  That seems pretty clear.

  This has nothing to do with client certificates.

  Alan DeKok.