RADIUS authentication in Wi-Fi unreliable after update to UCS 5.2 – TLS Alert read:fatal:unknown CA

Problem

After updating to Univention Corporate Server 5.2, a school reports that RADIUS authentication for the Wi-Fi network no longer works reliably.

Authentication attempts intermittently fail when users try to connect to the wireless network via RADIUS. The following error appears in the RADIUS logs:

Mon Feb  2 14:09:22 2026 : ERROR: (77335) eap_peap: ERROR: (TLS) Alert read:fatal:unknown CA
Mon Feb  2 14:09:22 2026 : Auth: (77335) Login incorrect (eap_peap: (TLS) Alert read:fatal:unknown CA): [CondeLuc01/<via Auth-Type = eap>] (from client unifi port 2 cli 2A-F2-9E-B4-26-F3)

At the same time, it can be observed that a large number of devices are still successfully authenticating via RADIUS. Therefore, the issue does not affect all clients equally and may initially appear intermittent.

Investigation

The log entry indicates that the TLS authentication process fails because the client does not trust the certificate authority (CA) used by the RADIUS server.

In this scenario:

1. Client devices (e.g., Windows clients or mobile devices such as Android or iOS phones) attempt to authenticate via EAP-PEAP.
2. During the TLS handshake, the client validates the server certificate.
3. The client rejects the certificate chain because the CA is not trusted, resulting in the error:

TLS Alert read:fatal:unknown CA

This suggests that the issue is client-side rather than server-side, especially since many devices still authenticate successfully.

Typical causes include:

• Cached or outdated Wi-Fi profiles on client devices
• Previously stored CA certificates that no longer match the server configuration
• Differences in TLS compatibility between devices

In some earlier cases, authentication problems were also related to TLS version compatibility. By default, newer systems may prefer TLS 1.3, which is supported by modern operating systems such as Windows 11. However, older mobile devices may still rely on TLS 1.2.

Further details about TLS compatibility and RADIUS configuration can be found in the following Univention Knowledge Base articles:

• https://help.univention.com/t/how-to-use-radius-with-tls-1-2/22774
• https://help.univention.com/t/windows-11-credential-guard-effects-on-freeradius-network-authentication/23661

Solution

The most likely cause of this issue is cached Wi-Fi profiles on Android devices, regardless of the specific Android version.

Devices where the Wi-Fi profile was configured before the UCS update may still reference an outdated or no longer trusted certificate authority. As a result, the authentication process is aborted with the error unknown CA.

To resolve the issue:

1. On the affected Android devices, remove the existing Wi-Fi profile completely.
2. Reconfigure the Wi-Fi connection from scratch.
3. During the new configuration, the device will retrieve and store the current CA certificate presented by the RADIUS server.

After recreating the Wi-Fi profile, authentication should work reliably again.

Summary

• The error TLS Alert read:fatal:unknown CA indicates that the client rejects the RADIUS server’s certificate authority.
• The issue typically affects only some devices, often those with older cached Wi-Fi configurations.
• Removing and recreating the Wi-Fi profile on affected Android devices resolves the issue in most cases.