This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NAC EAP-TLS Unknown CA Error

NAC EAP-TLS Unknown CA Error

Anonymous
Not applicable

‎09-20-2018 02:19 PM

Hi,

In the process of configuring EAP-TLS with NAC acting as the RADIUS, the problem I keep hitting it the following error when the device tries to authenticate:

EAP-TLS: fatal alert by server - unknown_ca
TLS Handshake failed in SSL_read with error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
eap-tls: Error in establishing TLS session


The command I used is as follows, and made sure the answer to Common Name is the FQDN of NAC at that a DNS entry exists for it:

openssl genrsa 2048 | openssl pkcs8 -topk8 -out nac01-server.key
openssl req -new -reqexts server_auth -key nac01-server.key -out nac01-server-reqext.csr

Have then taken the CSR to the root CA, used the RAS / IAS template and generated the certificate. Then taken the certificate bundle and imported into the RADIUS certificate section in NAC.

The client certificate has been generated using the following rules:

https://support.microsoft.com/en-gb/help/814394/certificate-requirements-when-you-use-eap-tls-or-pea...

The PKI is simple in that there is only the root CA, no intermediate CA and both the client and the NAC have a certificate chain to the root.

Have tried to follow the following post best I can, but obviously slightly different being geared to NPS rather than NAC:

https://community.extremenetworks.com/extreme/topics/how-to-guide-extreme-wireless-authenticates-dom...

Wondering if anyone has any ideas.

Many thanks in advance.
 

0 Kudos
6 REPLIES 6

Ryan_Turner
New Contributor

‎09-22-2018 10:51 PM

If you are seeing this message on the server, then it means the certificate that the client is presenting your server is not a known CA (95% sure) or it is unable to chain to root. We run TLS in our environment, but we don’t terminate the authentication on the NAC server. We proxy it through to another freeRadius server. You need to make sure the client certificate chain is installed into NAC correctly.
0 Kudos

Anonymous
Not applicable

‎09-22-2018 05:38 PM

There is a resolution to the problem in this article on the GTAC knowledge base (yet to try it):

https://extremeportal.force.com/ExtrArticleDetail?an=000080944

First step it says to disable the certificate validation on the client?

There are no further steps to re-enable it, so wouldn't that defeat the object if the validation is turned off?

0 Kudos
GTM-P2G8KFN