In the process of configuring EAP-TLS with NAC acting as the RADIUS, the problem I keep hitting it the following error when the device tries to authenticate:
EAP-TLS: fatal alert by server - unknown_ca
TLS Handshake failed in SSL_read with error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
eap-tls: Error in establishing TLS session
Have followed the article below and created a server CSR via NAC:
The command I used is as follows, and made sure the answer to Common Name is the FQDN of NAC at that a DNS entry exists for it:
openssl genrsa 2048 | openssl pkcs8 -topk8 -out nac01-server.key
openssl req -new -reqexts server_auth -key nac01-server.key -out nac01-server-reqext.csr
Have then taken the CSR to the root CA, used the RAS / IAS template and generated the certificate. Then taken the certificate bundle and imported into the RADIUS certificate section in NAC.
The client certificate has been generated using the following rules:
The PKI is simple in that there is only the root CA, no intermediate CA and both the client and the NAC have a certificate chain to the root.
Have tried to follow the following post best I can, but obviously slightly different being geared to NPS rather than NAC:
Wondering if anyone has any ideas.
Many thanks in advance.