Hi, I have a working radiusd.conf which can do EAP-TLS authentication. I am able to run the FreeRadius server in Ubuntu directly. Now I am trying to make the FreeRadius server running in Docker and upload it to GCP. However, with the same radiusd.conf, I got the error "TLS Alert read:fatal:unknow CA". In my radiusd.conf, I have something like: modules { eap { ... tls { certdir = certs private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem ca_file = ${certdir}/ca.pem cipher_list = "HIGH" ecdh_curve = "prime256v1" } } } In my Dockerfile, I first have something like: WORKDIR /radius COPY radiusd.conf /radius COPY certs/ /radius/certs So the working directory has radiusd.conf and certs/ directory containing all the certificates. With eapol_test given the same ca.pem as input, I got the below errors from FreeRadius output. I got the same errors even if I change the Docker file to the absolute path of FreeRadius: COPY radiusd.conf /etc/freeradius/3.0/ COPY certs/ /etc/freeradius/3.0/certs/ Output: (0) Received Access-Request Id 0 from 104.132.1.66:42257 to 172.17.0.3:1812 length 134 (0) User-Name = "myusername" (0) NAS-IP-Address = 127.0.0.1 (0) Calling-Station-Id = "02-00-00-00-00-01" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Connect-Info = "CONNECT 11Mbps 802.11b" (0) EAP-Message = 0x02ea000f016d79757365726e616d65 (0) Message-Authenticator = 0x064274c68e846bd643f10ee42c9a9f58 (0) # Executing section authorize from file ./radiusd.conf (0) authorize { (0) eap: Peer sent EAP Response (code 2) ID 234 length 15 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file ./radiusd.conf (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_tls to process data (0) eap_tls: Initiating new TLS session (0) eap_tls: Setting verify mode to require certificate from client (0) eap_tls: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 235 length 6 (0) eap: EAP session adding &reply:State = 0x3c1cb3283cf7be5d (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) Sent Access-Challenge Id 0 from 172.17.0.3:1812 to 104.132.1.66:42257 length 0 (0) EAP-Message = 0x01eb00060d20 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x3c1cb3283cf7be5deafe5da3e677933c (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 1 from 104.132.1.66:42257 to 172.17.0.3:1812 length 333 (1) User-Name = "myusername" (1) NAS-IP-Address = 127.0.0.1 (1) Calling-Station-Id = "02-00-00-00-00-01" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Connect-Info = "CONNECT 11Mbps 802.11b" (1) EAP-Message = 0x02eb00c40d0016030100b9010000b50303651de82eea44d48516e3c1e705e1c3913aa0b4a3f6b029b7affcccdd7fd8d9f6000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000054000b000403000102000a000c000a001d0017001e001900180016000000170000000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602 (1) State = 0x3c1cb3283cf7be5deafe5da3e677933c (1) Message-Authenticator = 0x0016f403f73e4237308bb89e1eb39d88 (1) session-state: No cached attributes (1) # Executing section authorize from file ./radiusd.conf (1) authorize { (1) eap: Peer sent EAP Response (code 2) ID 235 length 196 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file ./radiusd.conf (1) authenticate { (1) eap: Expiring EAP session with state 0x3c1cb3283cf7be5d (1) eap: Finished EAP session with state 0x3c1cb3283cf7be5d (1) eap: Previous EAP request found for state 0x3c1cb3283cf7be5d, released from the list (1) eap: Peer sent packet with method EAP TLS (13) (1) eap: Calling submodule eap_tls to process data (1) eap_tls: Continuing EAP-TLS (1) eap_tls: Got final TLS record fragment (190 bytes) (1) eap_tls: WARNING: Total received TLS record fragments (190 bytes), does not equal indicated TLS record length (0 bytes) (1) eap_tls: [eaptls verify] = ok (1) eap_tls: Done initial handshake (1) eap_tls: (other): before SSL initialization (1) eap_tls: TLS_accept: before SSL initialization (1) eap_tls: TLS_accept: before SSL initialization (1) eap_tls: <<< recv TLS 1.3 [length 00b9] (1) eap_tls: TLS_accept: SSLv3/TLS read client hello (1) eap_tls: >>> send TLS 1.2 [length 0035] (1) eap_tls: TLS_accept: SSLv3/TLS write server hello (1) eap_tls: >>> send TLS 1.2 [length 0707] (1) eap_tls: TLS_accept: SSLv3/TLS write certificate (1) eap_tls: >>> send TLS 1.2 [length 00af] (1) eap_tls: TLS_accept: SSLv3/TLS write certificate request (1) eap_tls: >>> send TLS 1.2 [length 0004] (1) eap_tls: TLS_accept: SSLv3/TLS write server done (1) eap_tls: TLS_accept: Need to read more data: SSLv3/TLS write server done (1) eap_tls: TLS - In Handshake Phase (1) eap_tls: TLS - got 2051 bytes of data (1) eap_tls: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 236 length 1024 (1) eap: EAP session adding &reply:State = 0x3c1cb3283df0be5d (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) Sent Access-Challenge Id 1 from 172.17.0.3:1812 to 104.132.1.66:42257 length 0 (1) EAP-Message = 0x01ec04000dc0000008031603030035020000310303cce50e6fc3074f99584c4bbd99b4b26f5eddf075568fd37fd1954ad7a144c66f00009d000009ff010001000017000016030307070b00070300070000033e3082033a30820222020107300d06092a864886f70d01010b05003071310b30090603550406130255533116301406035504080c0d4d617373616368757365747473310f300d06035504070c06426f73746f6e31133011060355040a0c0a427574746f6e776f6f643124302206035504030c1b427574746f6e776f6f642054657374204341204465632032303138301e170d3138313231393231303133365a170d3138313232393231303133365a3055310b30090603550406130255533116301406035504080c0d4d61737361636875736574747331163014060355040a0c0d526164697573205365727665723116301406035504030c0d5261646975732053657276657230820122300d06092a864886f70d01010105000382010f003082010a02820101 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x3c1cb3283df0be5deafe5da3e677933c (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 2 from 104.132.1.66:42257 to 172.17.0.3:1812 length 143 (2) User-Name = "myusername" (2) NAS-IP-Address = 127.0.0.1 (2) Calling-Station-Id = "02-00-00-00-00-01" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Connect-Info = "CONNECT 11Mbps 802.11b" (2) EAP-Message = 0x02ec00060d00 (2) State = 0x3c1cb3283df0be5deafe5da3e677933c (2) Message-Authenticator = 0xfcf988c59d274c385b0cb87554a6fb82 (2) session-state: No cached attributes (2) # Executing section authorize from file ./radiusd.conf (2) authorize { (2) eap: Peer sent EAP Response (code 2) ID 236 length 6 (2) eap: No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) } # authorize = updated (2) Found Auth-Type = eap (2) # Executing group from file ./radiusd.conf (2) authenticate { (2) eap: Expiring EAP session with state 0x3c1cb3283df0be5d (2) eap: Finished EAP session with state 0x3c1cb3283df0be5d (2) eap: Previous EAP request found for state 0x3c1cb3283df0be5d, released from the list (2) eap: Peer sent packet with method EAP TLS (13) (2) eap: Calling submodule eap_tls to process data (2) eap_tls: Continuing EAP-TLS (2) eap_tls: Peer ACKed our handshake fragment (2) eap_tls: [eaptls verify] = request (2) eap_tls: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 237 length 1024 (2) eap: EAP session adding &reply:State = 0x3c1cb3283ef1be5d (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) Sent Access-Challenge Id 2 from 172.17.0.3:1812 to 104.132.1.66:42257 length 0 (2) EAP-Message = 0x01ed04000dc00000080374746f6e776f6f643124302206035504030c1b427574746f6e776f6f642054657374204341204465632032303138301e170d3138313231393136353033385a170d3139303131383136353033385a3071310b30090603550406130255533116301406035504080c0d4d617373616368757365747473310f300d06035504070c06426f73746f6e31133011060355040a0c0a427574746f6e776f6f643124302206035504030c1b427574746f6e776f6f64205465737420434120446563203230313830820122300d06092a864886f70d01010105000382010f003082010a0282010100a510110045315159b7107ba22629b7a59c16da413ed72112277d4498e02a6f7456d63444de8038dd72cc2094cc0c29b735d05004292b0721dec7b6c781ef06c9703069077776c7984927763fb06a77d11cfeb7fe080edad8d52d471f9c9c125a4cd0a9a35d0d9ada21a3ccaf74a6fde206b7a9c7533cadd02669d58e5aed57e3993851b296199134b8f355 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x3c1cb3283ef1be5deafe5da3e677933c (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 3 from 104.132.1.66:42257 to 172.17.0.3:1812 length 143 (3) User-Name = "myusername" (3) NAS-IP-Address = 127.0.0.1 (3) Calling-Station-Id = "02-00-00-00-00-01" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Connect-Info = "CONNECT 11Mbps 802.11b" (3) EAP-Message = 0x02ed00060d00 (3) State = 0x3c1cb3283ef1be5deafe5da3e677933c (3) Message-Authenticator = 0xcbc352d3a078978d17e6fa7616a196e4 (3) session-state: No cached attributes (3) # Executing section authorize from file ./radiusd.conf (3) authorize { (3) eap: Peer sent EAP Response (code 2) ID 237 length 6 (3) eap: No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file ./radiusd.conf (3) authenticate { (3) eap: Expiring EAP session with state 0x3c1cb3283ef1be5d (3) eap: Finished EAP session with state 0x3c1cb3283ef1be5d (3) eap: Previous EAP request found for state 0x3c1cb3283ef1be5d, released from the list (3) eap: Peer sent packet with method EAP TLS (13) (3) eap: Calling submodule eap_tls to process data (3) eap_tls: Continuing EAP-TLS (3) eap_tls: Peer ACKed our handshake fragment (3) eap_tls: [eaptls verify] = request (3) eap_tls: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 238 length 33 (3) eap: EAP session adding &reply:State = 0x3c1cb3283ff2be5d (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) Sent Access-Challenge Id 3 from 172.17.0.3:1812 to 104.132.1.66:42257 length 0 (3) EAP-Message = 0x01ee00210d8000000803737420434120446563203230313816030300040e000000 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x3c1cb3283ff2be5deafe5da3e677933c (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 4 from 104.132.1.66:42257 to 172.17.0.3:1812 length 150 (4) User-Name = "myusername" (4) NAS-IP-Address = 127.0.0.1 (4) Calling-Station-Id = "02-00-00-00-00-01" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Connect-Info = "CONNECT 11Mbps 802.11b" (4) EAP-Message = 0x02ee000d0d0015030300020230 (4) State = 0x3c1cb3283ff2be5deafe5da3e677933c (4) Message-Authenticator = 0x6a8e3ca3d60a68499ed73d0b8dd61b82 (4) session-state: No cached attributes (4) # Executing section authorize from file ./radiusd.conf (4) authorize { (4) eap: Peer sent EAP Response (code 2) ID 238 length 13 (4) eap: No EAP Start, assuming it's an on-going EAP conversation (4) [eap] = updated (4) } # authorize = updated (4) Found Auth-Type = eap (4) # Executing group from file ./radiusd.conf (4) authenticate { (4) eap: Expiring EAP session with state 0x3c1cb3283ff2be5d (4) eap: Finished EAP session with state 0x3c1cb3283ff2be5d (4) eap: Previous EAP request found for state 0x3c1cb3283ff2be5d, released from the list (4) eap: Peer sent packet with method EAP TLS (13) (4) eap: Calling submodule eap_tls to process data (4) eap_tls: Continuing EAP-TLS (4) eap_tls: [eaptls verify] = ok (4) eap_tls: Done initial handshake (4) eap_tls: <<< recv TLS 1.2 [length 0002] (4) eap_tls: ERROR: TLS Alert read:fatal:unknown CA (4) eap_tls: TLS_accept: Need to read more data: error (4) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (4) eap_tls: TLS - In Handshake Phase (4) eap_tls: TLS - Application data. (4) eap_tls: ERROR: TLS failed during operation (4) eap_tls: ERROR: [eaptls process] = fail (4) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (4) eap: Sending EAP Failure (code 4) ID 238 length 4 (4) eap: Failed in EAP select (4) [eap] = invalid (4) } # authenticate = invalid (4) Failed to authenticate the user (4) Using Post-Auth-Type Reject (4) Post-Auth-Type sub-section not found. Ignoring. (4) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (4) Sending delayed response (4) Sent Access-Reject Id 4 from 172.17.0.3:1812 to 104.132.1.66:42257 length 44 (4) EAP-Message = 0x04ee0004 (4) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 0 with timestamp +61 (1) Cleaning up request packet ID 1 with timestamp +61 (2) Cleaning up request packet ID 2 with timestamp +61 (3) Cleaning up request packet ID 3 with timestamp +61 (4) Cleaning up request packet ID 4 with timestamp +61 Ready to process requests Any ideas? Thanks in advance! Best, Holly