Technical Tip: 802.1x authentication failed with certificate verification

Radius debug:

025-02-24T17:13:41.246883+05:30 CR-FortiAutheticator radiusd[7524]: (16) eap_tls: ERROR: (TLS) OpenSSL says error 20 : unable to get local issuer certificate
2025-02-24T17:13:41.246927+05:30 CR-FortiAutheticator radiusd[7524]: (16) eap_tls: ERROR: (TLS) Alert write:fatal:unknown CA 
2025-02-24T17:13:41.246939+05:30 CR-FortiAutheticator radiusd[7524]: (16) eap_tls: ERROR: (TLS) Server : Error in error 
2025-02-24T17:13:41.246952+05:30 CR-FortiAutheticator radiusd[7524]: (16) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000086:SSL routines::certificate verify failed 
2025-02-24T17:13:41.246962+05:30 CR-FortiAutheticator radiusd[7524]: (16) eap_tls: ERROR: (TLS) System call (I/O) error (-1) 
2025-02-24T17:13:41.246969+05:30 CR-FortiAutheticator radiusd[7524]: (16) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation 
2025-02-24T17:13:41.246976+05:30 CR-FortiAutheticator radiusd[7524]: (16) eap_tls: ERROR: [eaptls process] = fail 
2025-02-24T17:13:41.247039+05:30 CR-FortiAutheticator radiusd[7524]: (16) # Executing group from file /usr/etc/raddb/sites-enabled/default
2025-02-24T17:13:41.247092+05:30 CR-FortiAutheticator radiusd[7524]: (16) facauth: Updated auth log 'host/MY-LAB.joe.com' for attempt from 192.168.1.10: 802.1x authentication failed

Solution:

1. Export the client user certificate from Certificate Management -> End Entities -> Users with key in PKCS#12 format and import to the end device.
2. Make sure the client certificate is signed by the Correct Root Certificate.
3. Ensure the Enhanced Key Usage field includes the Client Authentication attributes.