09-20-2018 02:19 PM
Hi,
In the process of configuring EAP-TLS with NAC acting as the RADIUS, the problem I keep hitting it the following error when the device tries to authenticate:
EAP-TLS: fatal alert by server - unknown_ca
TLS Handshake failed in SSL_read with error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
eap-tls: Error in establishing TLS session
The command I used is as follows, and made sure the answer to Common Name is the FQDN of NAC at that a DNS entry exists for it:
openssl genrsa 2048 | openssl pkcs8 -topk8 -out nac01-server.key
openssl req -new -reqexts server_auth -key nac01-server.key -out nac01-server-reqext.csr
Have then taken the CSR to the root CA, used the RAS / IAS template and generated the certificate. Then taken the certificate bundle and imported into the RADIUS certificate section in NAC.
The client certificate has been generated using the following rules:
https://support.microsoft.com/en-gb/help/814394/certificate-requirements-when-you-use-eap-tls-or-pea...
The PKI is simple in that there is only the root CA, no intermediate CA and both the client and the NAC have a certificate chain to the root.
Have tried to follow the following post best I can, but obviously slightly different being geared to NPS rather than NAC:
https://community.extremenetworks.com/extreme/topics/how-to-guide-extreme-wireless-authenticates-dom...
Wondering if anyone has any ideas.
Many thanks in advance.
09-24-2018 01:02 PM
09-23-2018 04:03 PM
09-23-2018 04:03 PM
09-23-2018 06:01 AM