ePMP2000 + Freeradius ==> CA issues

Hello Board,

trying Radius Authentication.

Seems I got TTLS/EAP all dialed in.

But then get de-railed by certificates.

Maybe someone here solved the issue of getting a CA error on Freeradius 2.x even after generating the certs as described in the User Manual as well as described here:

https://community.cambiumnetworks.com/t5/ePMP-Configuration-Management/Creating-Certificates-for-the-RADIUS-Server-and-for-Subscriber/td-p/68551

I have installed the new CA on the CPE under User Provisioned Root Cert1

EAP seems to establish just fine.

But then, FreeRadius throws me that error:

Tue Nov 27 21:13:03 2018 : Error: TLS Alert read:fatal:unknown CA
Tue Nov 27 21:13:03 2018 : Error:     TLS_accept: failed in unknown state
Tue Nov 27 21:13:03 2018 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Tue Nov 27 21:13:03 2018 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
Tue Nov 27 21:13:03 2018 : Debug: TLS receive handshake failed during operation
Tue Nov 27 21:13:03 2018 : Info: [ttls] eaptls_process returned 4  
Tue Nov 27 21:13:03 2018 : Info: [eap] Handler failed in EAP/ttls
Tue Nov 27 21:13:03 2018 : Info: [eap] Failed in EAP select
Tue Nov 27 21:13:03 2018 : Info: ++[eap] = invalid
Tue Nov 27 21:13:03 2018 : Info: +} # group EAP = invalid

We are running on Debian8.11 and FreeRadius 2.2.5

Anyone a idea or running Radius with the ePMP2000 ?

Thanks,

Heiko Rehm

You probably have a new SSL version. It considers MD5 unreliable and I suspect that your CA certificate is signed with MD5. I attached an update sign script where I changed MD5 to SHA-256 so you need to regenerate your certificates.

• sign_cert.sh.zip (2.42 KB)