Alan: Thank you for your response, I think I finally know what is going on. I need to get a real cert from my FreeRADIUS Server, any sugestions about which vendor, IE Verisign vs thawte vs ?
I was under the impression that the clients was sending a cert to the server and the server was rejecting it, instead it seems that the clients are rejecting the server. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -----Original Message----- From: freeradius-users-bounces+jake.sallee=umhb....@lists.freeradius.org [mailto:[email protected] rg] On Behalf Of Alan DeKok Sent: Tuesday, August 03, 2010 1:47 AM To: FreeRadius users mailing list Subject: Re: windows users having trouble authenticating Sallee, Stephen (Jake) wrote: > I am still getting this error in my debug output: > > rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 > alert unknown ca > > I have upgraded to version 2.1.8+dfsg-1ubuntu1, still no joy! No amount of upgrading FreeRADIUS will make it work. This message comes because (a) the supplicant has a client certificate issued by a CA unknown to FreeRADIUS, or (b) the supplicant is telling FreeRADIUS that the servers CA is unknown to the client. > PLEASE someone tell me how to make FreeRADIUS automatically accept the > client cert. PEAP doesn't work like that. If you issued client certs, then FreeRADIUS *MUST* be configured to know about the CA. > I have about 2 thousand clients that are not owned by my university, > I cannot install the server cert on all of them, the logistics are too > much. PLEASE HELP! We're trying. We're asking you to listen to our responses. PEAP (or any TLS based EAP method) *cannot* do what you ask. It's impossible, and it was designed to be impossible by the people who created the cryptography algorithms. If you want to have it work, then (a) configure FreeRADIUS to know about the CA that issued the client cert, or (b) put the FreeRADIUS cert/CA on a web site, for the clients to download themselves. I understand what you want, but please understand that there are limitations to the protocols *independent* of FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
