Hello, eap_tls: TLS Alert read:fatal:unknown CA
That error means that the client want to trust the Radius certificate that is installed on PAcketFence and does not trust his root CA. To avoid that error, you can first configure a good certificate on the PacketFence Radius service and trust his root CA / install the root CA on the testing device or you can ignore the certificate check. What’s the OS of your testing device ? Thanks, Ludovic Zammit lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Jan 30, 2021, at 8:40 AM, Thijs Vandecasteele via PacketFence-users > <packetfence-users@lists.sourceforge.net> wrote: > > Hi, > > For a while now, I'm trying to get EAP-TLS working on Packetfence using the > built-in PKI. > I'm following the installation guide > (https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#pf-pki > <https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#pf-pki>), > but I think I'm still missing something, or doing something wrong: > > The guide mentions: > Once done copy the certificate in the clipboard from the Certificate > Authorities list (Configuration → Integration → PKI → Certificate Authorities > and click on Copy Certificate) then edit the RADIUS certificate section in > Configuration → Systen Configuration → SSL Certificates → RADIUS → Edit and > paste the public key in "Certificate Authority" and Save. (Don’t forget to > restart radiusd-auth) > > However, this makes the RADIUS certificate chain invalid: > Failed verifying chain: error stdin: verification failed . Ensure the > intermediates certificate file you provided contains all the intermediate > certificate authorities in x509 (Apache) format. > > Indeed, I can only connect using a generated certificate when choosing not to > validate the CA on the end-device. When I ask to verify the CA, this is the > error I get in radius.log: > > Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) eap_tls: ERROR: TLS Alert > read:fatal:unknown CA > Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) eap_tls: ERROR: TLS_accept: > Failed in unknown state > Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) eap_tls: ERROR: Failed in > __FUNCTION__ (SSL_read) > Jan 14 21:36:26 AS01NAC01 auth[24562]: [mac:xx:xx:xx:xx:xx:xx:xx] Rejected > user: <username> > Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) Login incorrect (eap_tls: TLS > Alert read:fatal:unknown CA): [<username>] (from client X.X.X.X/X port 0 cli > xx:xx:xx:xx:xx:xx) > > I tried this on PF 10.0.1 and 10.2.0, same behavior. > > Any ideas? > > Thanks! > Thijs > > > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
