Hello, I did have this error message today and what I figured out it means that the certificate presented by the radius server is not trusted by the client.
You either have to go to Config -> System Config -> SSL Certficates -> Radius And either replace the radius certificate with one that is generated by a CA that is trusted by the client, or you take the self-made CA that is there (should be called Example Certificate Authority), and make it so the client trusts that (would only recommend for testing). Regards Adrian -----Original Message----- From: Pieter Boelens via PacketFence-users <packetfence-users@lists.sourceforge.net> Sent: Monday, 21 February 2022 14:17 To: packetfence-users@lists.sourceforge.net Cc: Pieter Boelens <pieter.boel...@inkendaal.be> Subject: Re: [PacketFence-users] Packetfence PKI and EAP-TLS Hello, Was a solution ever found for this issue? I have the exact same problem and have not been able to find a solution yet. When I copy paste the CA public key into Configuration → System Configuration → SSL Certificates → RADIUS → Edit, it returns the error “Failed verifying chain: error stdin: verification failed . Unable to fetch all the intermediates through the information contained in the certificate. You will have to upload the intermediate chain manually in x509 (Apache) format.” Could someone point me in the right direction? Best regards, Pieter > -----Oorspronkelijk bericht----- > > Hi Ludovic, > > Thanks for your feedback. Indeed, that is what I was referring to. > I tested both on Windows 10 and Android 10. > This is what I did: > 1. Generate a root CA using Integration > PKI > Certificate > Authorities 2. Copy the root CA to System Configuration > SSL > Certificates > Radius > Certificate Authority 3. Create a template 4. > Create a user cert based on this template 5. Export the cert to p12 > (thus including the root ca) 6. Import the p12 to Windows/Android > > Best regards, > Thijs > > Op ma 1 feb. 2021 om 17:34 schreef Ludovic Zammit <lzam...@inverse.ca>: > > > Hello, > > > > eap_tls: TLS Alert read:fatal:unknown CA > > > > That error means that the client want to trust the Radius > > certificate that is installed on PAcketFence and does not trust his root CA. > > > > To avoid that error, you can first configure a good certificate on > > the PacketFence Radius service and trust his root CA / install the > > root CA on the testing device or you can ignore the certificate check. > > > > What’s the OS of your testing device ? > > > > Thanks, > > > > > > Ludovic zammitlzam...@inverse.ca :: +1.514.447.4918 (x145) :: > > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww > > .inverse.ca%2F&data=04%7C01%7Cadrian.damaschek%40technicondesign > > .com%7Cfb5f0a9c96484db94eb208d9f5498f6c%7Cd62d5a24155947988cd246c204 > > b1ab0c%7C1%7C0%7C637810518558929496%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi > > MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&am > > p;sdata=5J6LzzzfjSde60KZkAG13IcSFjdOLkUT%2BlnhWjTjEsM%3D&reserve > > d=0 Inverse inc. :: Leaders behind SOGo > > (https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fww > > w.sogo.nu%2F&data=04%7C01%7Cadrian.damaschek%40technicondesign.c > > om%7Cfb5f0a9c96484db94eb208d9f5498f6c%7Cd62d5a24155947988cd246c204b1 > > ab0c%7C1%7C0%7C637810518558929496%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC > > 4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000& > > sdata=t0LlOJG8lnIBr3sSS7OdtJfgDGnAPv0Iy4yI7pRAJho%3D&reserved=0) > > and PacketFence > > (https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpa > > cketfence.org%2F&data=04%7C01%7Cadrian.damaschek%40technicondesi > > gn.com%7Cfb5f0a9c96484db94eb208d9f5498f6c%7Cd62d5a24155947988cd246c2 > > 04b1ab0c%7C1%7C0%7C637810518558929496%7CUnknown%7CTWFpbGZsb3d8eyJWIj > > oiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000& > > amp;sdata=dSllCShANX11GPJ%2FtwHpTDVoaHoOMkt%2BhZP4Ae0HBx8%3D&res > > erved=0) > > > > > > > > > > > > On Jan 30, 2021, at 8:40 AM, Thijs Vandecasteele via > > PacketFence-users < packetfence-users@lists.sourceforge.net> wrote: > > > > Hi, > > > > For a while now, I'm trying to get EAP-TLS working on Packetfence > > using the built-in PKI. > > I'm following the installation guide ( > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww > > w.packetfence.org%2Fdoc%2FPacketFence_Installation_Guide.html%23pf-p > > ki&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cfb5f0 > > a9c96484db94eb208d9f5498f6c%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7 > > C0%7C637810518558929496%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi > > LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=6V9O > > 9F8DDc29qc1SgZlWnoYYQEHJ2%2Fdbs2yci9rlfrA%3D&reserved=0), > > but I think I'm still missing something, or doing something wrong: > > > > The guide mentions: > > *Once done copy the certificate in the clipboard from the > > Certificate Authorities list (Configuration → Integration → PKI → > > Certificate Authorities and click on Copy Certificate) then edit the > > RADIUS certificate section in Configuration → Systen Configuration → > > SSL Certificates → RADIUS → Edit and paste the public key in > > "Certificate Authority" and Save. (Don’t forget to restart > > radiusd-auth)* > > > > However, this makes the RADIUS certificate chain invalid: > > *Failed verifying chain: error stdin: verification failed . Ensure > > the intermediates certificate file you provided contains all the > > intermediate certificate authorities in x509 (Apache) format.* > > > > Indeed, I can only connect using a generated certificate when > > choosing not to validate the CA on the end-device. When I ask to > > verify the CA, this is the error I get in radius.log: > > > > > > > > > > > > *Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) eap_tls: ERROR: TLS > > Alert read:fatal:unknown CAJan 14 21:36:26 AS01NAC01 auth[24562]: (1208) > > eap_tls: > > ERROR: TLS_accept: Failed in unknown stateJan 14 21:36:26 AS01NAC01 > > auth[24562]: (1208) eap_tls: ERROR: Failed in __FUNCTION__ > > (SSL_read)Jan > 14 > > 21:36:26 AS01NAC01 auth[24562]: [mac:xx:xx:xx:xx:xx:xx:xx] Rejected user: > > <username>Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) Login > > incorrect > > (eap_tls: TLS Alert read:fatal:unknown CA): [<username>] (from > > client X.X.X.X/X port 0 cli xx:xx:xx:xx:xx:xx)* > > > > I tried this on PF 10.0.1 and 10.2.0, same behavior. > > > > Any ideas? > > > > Thanks! > > Thijs > > > > > > > > > > _______________________________________________ > > PacketFence-users mailing list > > PacketFence-users@lists.sourceforge.net > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fli > > sts.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&data= > > 04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cfb5f0a9c96484db94 > > eb208d9f5498f6c%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C6378105 > > 18558929496%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2lu > > MzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wi0rFPeoCFCl%2BM > > dVycy2k3pNl0YflWl80tfbXEMr028%3D&reserved=0 > > > > > > _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cfb5f0a9c96484db94eb208d9f5498f6c%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810518558929496%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wi0rFPeoCFCl%2BMdVycy2k3pNl0YflWl80tfbXEMr028%3D&reserved=0 _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
