AAA, NAC, Guest Access & BYOD

EAP-TLS auth test fails with "unsupported certificate purpose"

PROBLEM :
The authentication test from RADIUS -> Authentication -> Authentication Servers -> Local Certificate Authority -> Test Authentication. The debug output shows:

 

SSL: SSL_connect:SSLv3 read server hello A
TLS: Certificate verification failed, error 26 (unsupported certificate purpose) depth 1 for '/C=US/ST=California/L=Sunnyvale/O=Aruba Networks/OU=ACE/CN=Milano Lab Amigopod Local Root CA (Signing)/emailAddress=milano.amigpod.rootca@arubanetworks.com'
SSL: (where=0x4008 ret=0x22b)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unsupported certificate
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server certificate B
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
SSL: 7 bytes pending from ssl_out
SSL: Failed - tls_out available to report error
SSL: 7 bytes left to be sent out (of total 7 bytes)
EAP-TLS: TLS processing failed
EAP: method process -> ignore=FALSE methodState=DONE decision=FAIL

 

SOLUTION :
When exporting the client certificate, choose PKCS#12 Format but unselect the box for Trust Chain - Include certificate trust chain. This will prevent the test authentication from presenting the CA certificate(s) to the RADIUS server which would lead to the "unsupported certificate purpose" message.

Note that this is not required for a real client. This is only necessary when testing internally on Amigopod through the test tool. A real client can be installed with the full trust chain but will only present the client certificate during authentication.

Version History
Revision #:
2 of 2
Last update:
‎06-29-2014 10:14 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.