Technical Tip: 802.1x authentication failed with certificate verification

js2 · ‎03-19-2025

Description

This article discusses errors that emerge in RADIUS logs during certificate validation and how to address them.

Scope

FortiAuthenticator.

Solution

Radius debug:

025-02-24T17:13:41.246883+05:30 CR-FortiAutheticator radiusd[7524]: (16) eap_tls: ERROR: (TLS) OpenSSL says error 20 : unable to get local issuer certificate
2025-02-24T17:13:41.246927+05:30 CR-FortiAutheticator radiusd[7524]: (16) eap_tls: ERROR: (TLS) Alert write:fatal:unknown CA
2025-02-24T17:13:41.246939+05:30 CR-FortiAutheticator radiusd[7524]: (16) eap_tls: ERROR: (TLS) Server : Error in error
2025-02-24T17:13:41.246952+05:30 CR-FortiAutheticator radiusd[7524]: (16) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000086:SSL routines::certificate verify failed
2025-02-24T17:13:41.246962+05:30 CR-FortiAutheticator radiusd[7524]: (16) eap_tls: ERROR: (TLS) System call (I/O) error (-1)
2025-02-24T17:13:41.246969+05:30 CR-FortiAutheticator radiusd[7524]: (16) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation
2025-02-24T17:13:41.246976+05:30 CR-FortiAutheticator radiusd[7524]: (16) eap_tls: ERROR: [eaptls process] = fail
2025-02-24T17:13:41.247039+05:30 CR-FortiAutheticator radiusd[7524]: (16) # Executing group from file /usr/etc/raddb/sites-enabled/default
2025-02-24T17:13:41.247092+05:30 CR-FortiAutheticator radiusd[7524]: (16) facauth: Updated auth log 'host/MY-LAB.joe.com' for attempt from 192.168.1.10: 802.1x authentication failed

Solution:

Export the client user certificate from Certificate Management -> End Entities -> Users with key in PKCS#12 format and import to the end device.
Make sure the client certificate is signed by the Correct Root Certificate.
Ensure the Enhanced Key Usage field includes the Client Authentication attributes.

Technical Tip: 802.1x authentication failed with certificate verification

You are leaving our website