Thanks Alan for the quick response! I am using eapol_test to send the request with the ca.pem, but still got the Unknown CA error: $ eapol_test -c eap-tls.conf -a 34.94.22.45 -s myRandomPass -o eap-tls.out In my eap-tls.conf: network={ key_mgmt=WPA-EAP identity="myusername" proto=WPA2 eap=TLS ca_cert="ca.pem" // The same ca.pem in Free Radius private_key="client.p12" private_key_passwd="clientpassword" } Thank you! On Thu, Aug 8, 2019 at 5:30 PM Alan DeKok <aland@deployingradius.com> wrote:
On Aug 8, 2019, at 8:13 PM, Jiuyu Sun <sunjiuyu@gmail.com> wrote:
I have a working radiusd.conf which can do EAP-TLS authentication. I am able to run the FreeRadius server in Ubuntu directly. Now I am trying to make the FreeRadius server running in Docker and upload it to GCP.
However,
with the same radiusd.conf, I got the error "TLS Alert read:fatal:unknow CA".
In my radiusd.conf, I have something like:
That's all standard in the default configuration files.
In my Dockerfile, I first have something like: WORKDIR /radius COPY radiusd.conf /radius COPY certs/ /radius/certs
That should work. See also:
https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/scripts/docker
There are pre-built docker scripts for v3, and for the major Linux distributions.
(4) eap_tls: <<< recv TLS 1.2 [length 0002] (4) eap_tls: ERROR: TLS Alert read:fatal:unknown CA (4) eap_tls: TLS_accept: Need to read more data: error (4) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
That's a message from the supplicant. You configured the CA on FreeRADIUS, but not on the supplicant.
Add the CA to the supplicant and it should work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html