eap_peap: ERROR: (TLS) Alert read:fatal:unknown CA

Alan DeKok aland at deployingradius.com
Fri Jan 5 21:14:54 UTC 2024

On Jan 5, 2024, at 1:11 PM, Dario Barbon <dbarbon at olicom.eu> wrote:
> Hi Alan, I enabled mschapv2 section inside eap file and it works... thanks again for your support.

  That's good.

> Regarding the source of my problems, I confirm you that Android 11 devices continue to "lost"  the installed client certificate: this time I collected the logs as you suggested after the device lost the certificate.
> ...
> (0) Found Auth-Type = eap
> (0) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag
> (0)   authenticate {
> (0) eap: Peer sent packet with method EAP Identity (1)
> (0) eap: Calling submodule eap_tls to process data
> (0) eap_tls: (TLS) Initiating new session
> (0) eap_tls: (TLS) Setting verify mode to require certificate from client

  FreeRADIUS is doing EAP-TLS, and asking for a client cert.

> ...
> (1)   EAP-Message = 0x020200060300
> (1)...
> (1) eap: Peer sent EAP Response (code 2) ID 2 length 6
> (1) eap: Ignoring NAK with request for unknown EAP type

  The client sent "No, I'm not doing EAP-TLS, and I have no other options".

  Yeah, the client is broken.  There is nothing you can do to FreeRADIUS to fix it.

  I'd suggest filing a bug report with Google.

  Alan DeKok.

More information about the Freeradius-Users mailing list