Hi, For a while now, I'm trying to get EAP-TLS working on Packetfence using the built-in PKI. I'm following the installation guide ( https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#pf-pki), but I think I'm still missing something, or doing something wrong:
The guide mentions: *Once done copy the certificate in the clipboard from the Certificate Authorities list (Configuration → Integration → PKI → Certificate Authorities and click on Copy Certificate) then edit the RADIUS certificate section in Configuration → Systen Configuration → SSL Certificates → RADIUS → Edit and paste the public key in "Certificate Authority" and Save. (Don’t forget to restart radiusd-auth)* However, this makes the RADIUS certificate chain invalid: *Failed verifying chain: error stdin: verification failed . Ensure the intermediates certificate file you provided contains all the intermediate certificate authorities in x509 (Apache) format.* Indeed, I can only connect using a generated certificate when choosing not to validate the CA on the end-device. When I ask to verify the CA, this is the error I get in radius.log: *Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) eap_tls: ERROR: TLS Alert read:fatal:unknown CAJan 14 21:36:26 AS01NAC01 auth[24562]: (1208) eap_tls: ERROR: TLS_accept: Failed in unknown stateJan 14 21:36:26 AS01NAC01 auth[24562]: (1208) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)Jan 14 21:36:26 AS01NAC01 auth[24562]: [mac:xx:xx:xx:xx:xx:xx:xx] Rejected user: <username>Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) Login incorrect (eap_tls: TLS Alert read:fatal:unknown CA): [<username>] (from client X.X.X.X/X port 0 cli xx:xx:xx:xx:xx:xx)* I tried this on PF 10.0.1 and 10.2.0, same behavior. Any ideas? Thanks! Thijs
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
