PROBLEM :The authentication test from RADIUS -> Authentication -> Authentication Servers -> Local Certificate Authority -> Test Authentication. The debug output shows:
SSL: SSL_connect:SSLv3 read server hello A TLS: Certificate verification failed, error 26 (unsupported certificate purpose) depth 1 for '/C=US/ST=California/L=Sunnyvale/O=Aruba Networks/OU=ACE/CN=Milano Lab Amigopod Local Root CA (Signing)/emailAddress=milano.amigpod.rootca@arubanetworks.com' SSL: (where=0x4008 ret=0x22b) SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unsupported certificate SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv3 read server certificate B OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed SSL: 7 bytes pending from ssl_out SSL: Failed - tls_out available to report error SSL: 7 bytes left to be sent out (of total 7 bytes) EAP-TLS: TLS processing failed EAP: method process -> ignore=FALSE methodState=DONE decision=FAIL
SOLUTION :When exporting the client certificate, choose PKCS#12 Format but unselect the box for Trust Chain - Include certificate trust chain. This will prevent the test authentication from presenting the CA certificate(s) to the RADIUS server which would lead to the "unsupported certificate purpose" message. Note that this is not required for a real client. This is only necessary when testing internally on Amigopod through the test tool. A real client can be installed with the full trust chain but will only present the client certificate during authentication.
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.