Hi Ludovic, Thanks for your feedback. Indeed, that is what I was referring to. I tested both on Windows 10 and Android 10. This is what I did: 1. Generate a root CA using Integration > PKI > Certificate Authorities 2. Copy the root CA to System Configuration > SSL Certificates > Radius > Certificate Authority 3. Create a template 4. Create a user cert based on this template 5. Export the cert to p12 (thus including the root ca) 6. Import the p12 to Windows/Android
Best regards, Thijs Op ma 1 feb. 2021 om 17:34 schreef Ludovic Zammit <lzam...@inverse.ca>: > Hello, > > eap_tls: TLS Alert read:fatal:unknown CA > > That error means that the client want to trust the Radius certificate that > is installed on PAcketFence and does not trust his root CA. > > To avoid that error, you can first configure a good certificate on the > PacketFence Radius service and trust his root CA / install the root CA on > the testing device or you can ignore the certificate check. > > What’s the OS of your testing device ? > > Thanks, > > > Ludovic zammitlzam...@inverse.ca :: +1.514.447.4918 (x145) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > > > On Jan 30, 2021, at 8:40 AM, Thijs Vandecasteele via PacketFence-users < > packetfence-users@lists.sourceforge.net> wrote: > > Hi, > > For a while now, I'm trying to get EAP-TLS working on Packetfence using > the built-in PKI. > I'm following the installation guide ( > https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#pf-pki), > but I think I'm still missing something, or doing something wrong: > > The guide mentions: > *Once done copy the certificate in the clipboard from the Certificate > Authorities list (Configuration → Integration → PKI → Certificate > Authorities and click on Copy Certificate) then edit the RADIUS certificate > section in Configuration → Systen Configuration → SSL Certificates → RADIUS > → Edit and paste the public key in "Certificate Authority" and Save. (Don’t > forget to restart radiusd-auth)* > > However, this makes the RADIUS certificate chain invalid: > *Failed verifying chain: error stdin: verification failed . Ensure the > intermediates certificate file you provided contains all the intermediate > certificate authorities in x509 (Apache) format.* > > Indeed, I can only connect using a generated certificate when choosing not > to validate the CA on the end-device. When I ask to verify the CA, this is > the error I get in radius.log: > > > > > > *Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) eap_tls: ERROR: TLS Alert > read:fatal:unknown CAJan 14 21:36:26 AS01NAC01 auth[24562]: (1208) eap_tls: > ERROR: TLS_accept: Failed in unknown stateJan 14 21:36:26 AS01NAC01 > auth[24562]: (1208) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)Jan 14 > 21:36:26 AS01NAC01 auth[24562]: [mac:xx:xx:xx:xx:xx:xx:xx] Rejected user: > <username>Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) Login incorrect > (eap_tls: TLS Alert read:fatal:unknown CA): [<username>] (from client > X.X.X.X/X port 0 cli xx:xx:xx:xx:xx:xx)* > > I tried this on PF 10.0.1 and 10.2.0, same behavior. > > Any ideas? > > Thanks! > Thijs > > > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
