Freeradius with Docker - got Unknown CA error
Hi, I have a working radiusd.conf which can do EAP-TLS authentication. I am able to run the FreeRadius server in Ubuntu directly. Now I am trying to make the FreeRadius server running in Docker and upload it to GCP. However, with the same radiusd.conf, I got the error "TLS Alert read:fatal:unknow CA". In my radiusd.conf, I have something like: modules { eap { ... tls { certdir = certs private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem ca_file = ${certdir}/ca.pem cipher_list = "HIGH" ecdh_curve = "prime256v1" } } } In my Dockerfile, I first have something like: WORKDIR /radius COPY radiusd.conf /radius COPY certs/ /radius/certs So the working directory has radiusd.conf and certs/ directory containing all the certificates. With eapol_test given the same ca.pem as input, I got the below errors from FreeRadius output. I got the same errors even if I change the Docker file to the absolute path of FreeRadius: COPY radiusd.conf /etc/freeradius/3.0/ COPY certs/ /etc/freeradius/3.0/certs/ Output: (0) Received Access-Request Id 0 from 104.132.1.66:42257 to 172.17.0.3:1812 length 134 (0) User-Name = "myusername" (0) NAS-IP-Address = 127.0.0.1 (0) Calling-Station-Id = "02-00-00-00-00-01" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Connect-Info = "CONNECT 11Mbps 802.11b" (0) EAP-Message = 0x02ea000f016d79757365726e616d65 (0) Message-Authenticator = 0x064274c68e846bd643f10ee42c9a9f58 (0) # Executing section authorize from file ./radiusd.conf (0) authorize { (0) eap: Peer sent EAP Response (code 2) ID 234 length 15 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file ./radiusd.conf (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_tls to process data (0) eap_tls: Initiating new TLS session (0) eap_tls: Setting verify mode to require certificate from client (0) eap_tls: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 235 length 6 (0) eap: EAP session adding &reply:State = 0x3c1cb3283cf7be5d (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) Sent Access-Challenge Id 0 from 172.17.0.3:1812 to 104.132.1.66:42257 length 0 (0) EAP-Message = 0x01eb00060d20 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x3c1cb3283cf7be5deafe5da3e677933c (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 1 from 104.132.1.66:42257 to 172.17.0.3:1812 length 333 (1) User-Name = "myusername" (1) NAS-IP-Address = 127.0.0.1 (1) Calling-Station-Id = "02-00-00-00-00-01" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Connect-Info = "CONNECT 11Mbps 802.11b" (1) EAP-Message = 0x02eb00c40d0016030100b9010000b50303651de82eea44d48516e3c1e705e1c3913aa0b4a3f6b029b7affcccdd7fd8d9f6000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000054000b000403000102000a000c000a001d0017001e001900180016000000170000000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602 (1) State = 0x3c1cb3283cf7be5deafe5da3e677933c (1) Message-Authenticator = 0x0016f403f73e4237308bb89e1eb39d88 (1) session-state: No cached attributes (1) # Executing section authorize from file ./radiusd.conf (1) authorize { (1) eap: Peer sent EAP Response (code 2) ID 235 length 196 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file ./radiusd.conf (1) authenticate { (1) eap: Expiring EAP session with state 0x3c1cb3283cf7be5d (1) eap: Finished EAP session with state 0x3c1cb3283cf7be5d (1) eap: Previous EAP request found for state 0x3c1cb3283cf7be5d, released from the list (1) eap: Peer sent packet with method EAP TLS (13) (1) eap: Calling submodule eap_tls to process data (1) eap_tls: Continuing EAP-TLS (1) eap_tls: Got final TLS record fragment (190 bytes) (1) eap_tls: WARNING: Total received TLS record fragments (190 bytes), does not equal indicated TLS record length (0 bytes) (1) eap_tls: [eaptls verify] = ok (1) eap_tls: Done initial handshake (1) eap_tls: (other): before SSL initialization (1) eap_tls: TLS_accept: before SSL initialization (1) eap_tls: TLS_accept: before SSL initialization (1) eap_tls: <<< recv TLS 1.3 [length 00b9] (1) eap_tls: TLS_accept: SSLv3/TLS read client hello (1) eap_tls: >>> send TLS 1.2 [length 0035] (1) eap_tls: TLS_accept: SSLv3/TLS write server hello (1) eap_tls: >>> send TLS 1.2 [length 0707] (1) eap_tls: TLS_accept: SSLv3/TLS write certificate (1) eap_tls: >>> send TLS 1.2 [length 00af] (1) eap_tls: TLS_accept: SSLv3/TLS write certificate request (1) eap_tls: >>> send TLS 1.2 [length 0004] (1) eap_tls: TLS_accept: SSLv3/TLS write server done (1) eap_tls: TLS_accept: Need to read more data: SSLv3/TLS write server done (1) eap_tls: TLS - In Handshake Phase (1) eap_tls: TLS - got 2051 bytes of data (1) eap_tls: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 236 length 1024 (1) eap: EAP session adding &reply:State = 0x3c1cb3283df0be5d (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) Sent Access-Challenge Id 1 from 172.17.0.3:1812 to 104.132.1.66:42257 length 0 (1) EAP-Message = 0x01ec04000dc0000008031603030035020000310303cce50e6fc3074f99584c4bbd99b4b26f5eddf075568fd37fd1954ad7a144c66f00009d000009ff010001000017000016030307070b00070300070000033e3082033a30820222020107300d06092a864886f70d01010b05003071310b30090603550406130255533116301406035504080c0d4d617373616368757365747473310f300d06035504070c06426f73746f6e31133011060355040a0c0a427574746f6e776f6f643124302206035504030c1b427574746f6e776f6f642054657374204341204465632032303138301e170d3138313231393231303133365a170d3138313232393231303133365a3055310b30090603550406130255533116301406035504080c0d4d61737361636875736574747331163014060355040a0c0d526164697573205365727665723116301406035504030c0d5261646975732053657276657230820122300d06092a864886f70d01010105000382010f003082010a02820101 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x3c1cb3283df0be5deafe5da3e677933c (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 2 from 104.132.1.66:42257 to 172.17.0.3:1812 length 143 (2) User-Name = "myusername" (2) NAS-IP-Address = 127.0.0.1 (2) Calling-Station-Id = "02-00-00-00-00-01" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Connect-Info = "CONNECT 11Mbps 802.11b" (2) EAP-Message = 0x02ec00060d00 (2) State = 0x3c1cb3283df0be5deafe5da3e677933c (2) Message-Authenticator = 0xfcf988c59d274c385b0cb87554a6fb82 (2) session-state: No cached attributes (2) # Executing section authorize from file ./radiusd.conf (2) authorize { (2) eap: Peer sent EAP Response (code 2) ID 236 length 6 (2) eap: No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) } # authorize = updated (2) Found Auth-Type = eap (2) # Executing group from file ./radiusd.conf (2) authenticate { (2) eap: Expiring EAP session with state 0x3c1cb3283df0be5d (2) eap: Finished EAP session with state 0x3c1cb3283df0be5d (2) eap: Previous EAP request found for state 0x3c1cb3283df0be5d, released from the list (2) eap: Peer sent packet with method EAP TLS (13) (2) eap: Calling submodule eap_tls to process data (2) eap_tls: Continuing EAP-TLS (2) eap_tls: Peer ACKed our handshake fragment (2) eap_tls: [eaptls verify] = request (2) eap_tls: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 237 length 1024 (2) eap: EAP session adding &reply:State = 0x3c1cb3283ef1be5d (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) Sent Access-Challenge Id 2 from 172.17.0.3:1812 to 104.132.1.66:42257 length 0 (2) EAP-Message = 0x01ed04000dc00000080374746f6e776f6f643124302206035504030c1b427574746f6e776f6f642054657374204341204465632032303138301e170d3138313231393136353033385a170d3139303131383136353033385a3071310b30090603550406130255533116301406035504080c0d4d617373616368757365747473310f300d06035504070c06426f73746f6e31133011060355040a0c0a427574746f6e776f6f643124302206035504030c1b427574746f6e776f6f64205465737420434120446563203230313830820122300d06092a864886f70d01010105000382010f003082010a0282010100a510110045315159b7107ba22629b7a59c16da413ed72112277d4498e02a6f7456d63444de8038dd72cc2094cc0c29b735d05004292b0721dec7b6c781ef06c9703069077776c7984927763fb06a77d11cfeb7fe080edad8d52d471f9c9c125a4cd0a9a35d0d9ada21a3ccaf74a6fde206b7a9c7533cadd02669d58e5aed57e3993851b296199134b8f355 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x3c1cb3283ef1be5deafe5da3e677933c (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 3 from 104.132.1.66:42257 to 172.17.0.3:1812 length 143 (3) User-Name = "myusername" (3) NAS-IP-Address = 127.0.0.1 (3) Calling-Station-Id = "02-00-00-00-00-01" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Connect-Info = "CONNECT 11Mbps 802.11b" (3) EAP-Message = 0x02ed00060d00 (3) State = 0x3c1cb3283ef1be5deafe5da3e677933c (3) Message-Authenticator = 0xcbc352d3a078978d17e6fa7616a196e4 (3) session-state: No cached attributes (3) # Executing section authorize from file ./radiusd.conf (3) authorize { (3) eap: Peer sent EAP Response (code 2) ID 237 length 6 (3) eap: No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file ./radiusd.conf (3) authenticate { (3) eap: Expiring EAP session with state 0x3c1cb3283ef1be5d (3) eap: Finished EAP session with state 0x3c1cb3283ef1be5d (3) eap: Previous EAP request found for state 0x3c1cb3283ef1be5d, released from the list (3) eap: Peer sent packet with method EAP TLS (13) (3) eap: Calling submodule eap_tls to process data (3) eap_tls: Continuing EAP-TLS (3) eap_tls: Peer ACKed our handshake fragment (3) eap_tls: [eaptls verify] = request (3) eap_tls: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 238 length 33 (3) eap: EAP session adding &reply:State = 0x3c1cb3283ff2be5d (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) Sent Access-Challenge Id 3 from 172.17.0.3:1812 to 104.132.1.66:42257 length 0 (3) EAP-Message = 0x01ee00210d8000000803737420434120446563203230313816030300040e000000 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x3c1cb3283ff2be5deafe5da3e677933c (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 4 from 104.132.1.66:42257 to 172.17.0.3:1812 length 150 (4) User-Name = "myusername" (4) NAS-IP-Address = 127.0.0.1 (4) Calling-Station-Id = "02-00-00-00-00-01" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Connect-Info = "CONNECT 11Mbps 802.11b" (4) EAP-Message = 0x02ee000d0d0015030300020230 (4) State = 0x3c1cb3283ff2be5deafe5da3e677933c (4) Message-Authenticator = 0x6a8e3ca3d60a68499ed73d0b8dd61b82 (4) session-state: No cached attributes (4) # Executing section authorize from file ./radiusd.conf (4) authorize { (4) eap: Peer sent EAP Response (code 2) ID 238 length 13 (4) eap: No EAP Start, assuming it's an on-going EAP conversation (4) [eap] = updated (4) } # authorize = updated (4) Found Auth-Type = eap (4) # Executing group from file ./radiusd.conf (4) authenticate { (4) eap: Expiring EAP session with state 0x3c1cb3283ff2be5d (4) eap: Finished EAP session with state 0x3c1cb3283ff2be5d (4) eap: Previous EAP request found for state 0x3c1cb3283ff2be5d, released from the list (4) eap: Peer sent packet with method EAP TLS (13) (4) eap: Calling submodule eap_tls to process data (4) eap_tls: Continuing EAP-TLS (4) eap_tls: [eaptls verify] = ok (4) eap_tls: Done initial handshake (4) eap_tls: <<< recv TLS 1.2 [length 0002] (4) eap_tls: ERROR: TLS Alert read:fatal:unknown CA (4) eap_tls: TLS_accept: Need to read more data: error (4) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (4) eap_tls: TLS - In Handshake Phase (4) eap_tls: TLS - Application data. (4) eap_tls: ERROR: TLS failed during operation (4) eap_tls: ERROR: [eaptls process] = fail (4) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (4) eap: Sending EAP Failure (code 4) ID 238 length 4 (4) eap: Failed in EAP select (4) [eap] = invalid (4) } # authenticate = invalid (4) Failed to authenticate the user (4) Using Post-Auth-Type Reject (4) Post-Auth-Type sub-section not found. Ignoring. (4) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (4) Sending delayed response (4) Sent Access-Reject Id 4 from 172.17.0.3:1812 to 104.132.1.66:42257 length 44 (4) EAP-Message = 0x04ee0004 (4) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 0 with timestamp +61 (1) Cleaning up request packet ID 1 with timestamp +61 (2) Cleaning up request packet ID 2 with timestamp +61 (3) Cleaning up request packet ID 3 with timestamp +61 (4) Cleaning up request packet ID 4 with timestamp +61 Ready to process requests Any ideas? Thanks in advance! Best, Holly
On Aug 8, 2019, at 8:13 PM, Jiuyu Sun <sunjiuyu@gmail.com> wrote:
I have a working radiusd.conf which can do EAP-TLS authentication. I am able to run the FreeRadius server in Ubuntu directly. Now I am trying to make the FreeRadius server running in Docker and upload it to GCP. However, with the same radiusd.conf, I got the error "TLS Alert read:fatal:unknow CA".
In my radiusd.conf, I have something like:
That's all standard in the default configuration files.
In my Dockerfile, I first have something like: WORKDIR /radius COPY radiusd.conf /radius COPY certs/ /radius/certs
That should work. See also: https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/scripts/docker There are pre-built docker scripts for v3, and for the major Linux distributions.
(4) eap_tls: <<< recv TLS 1.2 [length 0002] (4) eap_tls: ERROR: TLS Alert read:fatal:unknown CA (4) eap_tls: TLS_accept: Need to read more data: error (4) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
That's a message from the supplicant. You configured the CA on FreeRADIUS, but not on the supplicant. Add the CA to the supplicant and it should work. Alan DeKok.
Thanks Alan for the quick response! I am using eapol_test to send the request with the ca.pem, but still got the Unknown CA error: $ eapol_test -c eap-tls.conf -a 34.94.22.45 -s myRandomPass -o eap-tls.out In my eap-tls.conf: network={ key_mgmt=WPA-EAP identity="myusername" proto=WPA2 eap=TLS ca_cert="ca.pem" // The same ca.pem in Free Radius private_key="client.p12" private_key_passwd="clientpassword" } Thank you! On Thu, Aug 8, 2019 at 5:30 PM Alan DeKok <aland@deployingradius.com> wrote:
On Aug 8, 2019, at 8:13 PM, Jiuyu Sun <sunjiuyu@gmail.com> wrote:
I have a working radiusd.conf which can do EAP-TLS authentication. I am able to run the FreeRadius server in Ubuntu directly. Now I am trying to make the FreeRadius server running in Docker and upload it to GCP.
However,
with the same radiusd.conf, I got the error "TLS Alert read:fatal:unknow CA".
In my radiusd.conf, I have something like:
That's all standard in the default configuration files.
In my Dockerfile, I first have something like: WORKDIR /radius COPY radiusd.conf /radius COPY certs/ /radius/certs
That should work. See also:
https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/scripts/docker
There are pre-built docker scripts for v3, and for the major Linux distributions.
(4) eap_tls: <<< recv TLS 1.2 [length 0002] (4) eap_tls: ERROR: TLS Alert read:fatal:unknown CA (4) eap_tls: TLS_accept: Need to read more data: error (4) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
That's a message from the supplicant. You configured the CA on FreeRADIUS, but not on the supplicant.
Add the CA to the supplicant and it should work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Aug 8, 2019, at 8:51 PM, Jiuyu Sun <sunjiuyu@gmail.com> wrote:
Thanks Alan for the quick response!
I am using eapol_test to send the request with the ca.pem, but still got the Unknown CA error:
Then the client certificate is signed with another CA cert. OR the server certificate is signed with another CA cert. The certificates that come with the server work. The default configuration works. So... what changed? Alan DeKok.
Thanks Alan! I think both the server and client certificate should match the same CA. Using the same set of certificate, I can run the server directly in Ubuntu. So I doubt the issue is in my Dockerfile. In my Dockerfile: FROM ubuntu:18.04 RUN apt-get update &&\ apt-get install -y freeradius RUN adduser radius WORKDIR /radius EXPOSE 1812/udp 1813/udp COPY radiusd.conf /radius/ COPY certs/* /radius/certs/ CMD ["/usr/sbin/freeradius", "-d", ".","-f","-x","-lstdout"] I copied all the certificates under the current certs/ directory to /radius/certs/ in the docker environment. In the docker environment, there are still certificate under /etc/freeradius/3.0/certs, will FreeRadius use those certificates instead? Thanks a lot! On Thu, Aug 8, 2019 at 6:10 PM Alan DeKok <aland@deployingradius.com> wrote:
On Aug 8, 2019, at 8:51 PM, Jiuyu Sun <sunjiuyu@gmail.com> wrote:
Thanks Alan for the quick response!
I am using eapol_test to send the request with the ca.pem, but still got the Unknown CA error:
Then the client certificate is signed with another CA cert.
OR the server certificate is signed with another CA cert.
The certificates that come with the server work. The default configuration works. So... what changed?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, 2019-08-08 at 18:46 -0700, Jiuyu Sun wrote:
Using the same set of certificate, I can run the server directly in Ubuntu. So I doubt the issue is in my Dockerfile.
If those certs work in Ubuntu, but don't in Docker, then that really does point to a problem in your Dockerfile.
In my Dockerfile:
FROM ubuntu:18.04 RUN apt-get update &&\ apt-get install -y freeradius RUN adduser radius WORKDIR /radius EXPOSE 1812/udp 1813/udp COPY radiusd.conf /radius/ COPY certs/* /radius/certs/ CMD ["/usr/sbin/freeradius", "-d", ".","-f","-x","-lstdout"]
I copied all the certificates under the current certs/ directory to /radius/certs/ in the docker environment. In the docker environment, there are still certificate under /etc/freeradius/3.0/certs, will FreeRadius use those certificates instead?
That's where the default configuration says to read them from. If you don't change the eap config, it will still read them from there. Read the debug output to see what files it is loading. (Or you could paste the full debug output to the list, as mentioned here pretty much every day.) Rather than making up your own Dockerfile, why not use the official ones? https://hub.docker.com/r/freeradius/freeradius-server -- Matthew
Problem solved! The debug output shows that it was referring to a different set of certificates. Thanks both, Alan and Matthew! On Fri, Aug 9, 2019 at 4:07 AM Matthew Newton <mcn@freeradius.org> wrote:
On Thu, 2019-08-08 at 18:46 -0700, Jiuyu Sun wrote:
Using the same set of certificate, I can run the server directly in Ubuntu. So I doubt the issue is in my Dockerfile.
If those certs work in Ubuntu, but don't in Docker, then that really does point to a problem in your Dockerfile.
In my Dockerfile:
FROM ubuntu:18.04 RUN apt-get update &&\ apt-get install -y freeradius RUN adduser radius WORKDIR /radius EXPOSE 1812/udp 1813/udp COPY radiusd.conf /radius/ COPY certs/* /radius/certs/ CMD ["/usr/sbin/freeradius", "-d", ".","-f","-x","-lstdout"]
I copied all the certificates under the current certs/ directory to /radius/certs/ in the docker environment. In the docker environment, there are still certificate under /etc/freeradius/3.0/certs, will FreeRadius use those certificates instead?
That's where the default configuration says to read them from. If you don't change the eap config, it will still read them from there. Read the debug output to see what files it is loading. (Or you could paste the full debug output to the list, as mentioned here pretty much every day.)
Rather than making up your own Dockerfile, why not use the official ones?
https://hub.docker.com/r/freeradius/freeradius-server
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Jiuyu Sun -
Matthew Newton