Freeradius with Docker - got Unknown CA error
Jiuyu Sun
sunjiuyu at gmail.com
Fri Aug 9 02:13:04 CEST 2019
Hi,
I have a working radiusd.conf which can do EAP-TLS authentication. I am
able to run the FreeRadius server in Ubuntu directly. Now I am trying to
make the FreeRadius server running in Docker and upload it to GCP. However,
with the same radiusd.conf, I got the error "TLS Alert read:fatal:unknow
CA".
In my radiusd.conf, I have something like:
modules {
eap {
...
tls {
certdir = certs
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
ca_file = ${certdir}/ca.pem
cipher_list = "HIGH"
ecdh_curve = "prime256v1"
}
}
}
In my Dockerfile, I first have something like:
WORKDIR /radius
COPY radiusd.conf /radius
COPY certs/ /radius/certs
So the working directory has radiusd.conf and certs/ directory containing
all the certificates.
With eapol_test given the same ca.pem as input, I got the below errors from
FreeRadius output. I got the same errors even if I change the Docker file
to the absolute path of FreeRadius:
COPY radiusd.conf /etc/freeradius/3.0/
COPY certs/ /etc/freeradius/3.0/certs/
Output:
(0) Received Access-Request Id 0 from 104.132.1.66:42257 to 172.17.0.3:1812
length 134
(0) User-Name = "myusername"
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = "02-00-00-00-00-01"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Connect-Info = "CONNECT 11Mbps 802.11b"
(0) EAP-Message = 0x02ea000f016d79757365726e616d65
(0) Message-Authenticator = 0x064274c68e846bd643f10ee42c9a9f58
(0) # Executing section authorize from file ./radiusd.conf
(0) authorize {
(0) eap: Peer sent EAP Response (code 2) ID 234 length 15
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file ./radiusd.conf
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_tls to process data
(0) eap_tls: Initiating new TLS session
(0) eap_tls: Setting verify mode to require certificate from client
(0) eap_tls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 235 length 6
(0) eap: EAP session adding &reply:State = 0x3c1cb3283cf7be5d
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) Sent Access-Challenge Id 0 from 172.17.0.3:1812 to 104.132.1.66:42257
length 0
(0) EAP-Message = 0x01eb00060d20
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x3c1cb3283cf7be5deafe5da3e677933c
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 1 from 104.132.1.66:42257 to 172.17.0.3:1812
length 333
(1) User-Name = "myusername"
(1) NAS-IP-Address = 127.0.0.1
(1) Calling-Station-Id = "02-00-00-00-00-01"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Connect-Info = "CONNECT 11Mbps 802.11b"
(1) EAP-Message =
0x02eb00c40d0016030100b9010000b50303651de82eea44d48516e3c1e705e1c3913aa0b4a3f6b029b7affcccdd7fd8d9f6000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000054000b000403000102000a000c000a001d0017001e001900180016000000170000000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602
(1) State = 0x3c1cb3283cf7be5deafe5da3e677933c
(1) Message-Authenticator = 0x0016f403f73e4237308bb89e1eb39d88
(1) session-state: No cached attributes
(1) # Executing section authorize from file ./radiusd.conf
(1) authorize {
(1) eap: Peer sent EAP Response (code 2) ID 235 length 196
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file ./radiusd.conf
(1) authenticate {
(1) eap: Expiring EAP session with state 0x3c1cb3283cf7be5d
(1) eap: Finished EAP session with state 0x3c1cb3283cf7be5d
(1) eap: Previous EAP request found for state 0x3c1cb3283cf7be5d, released
from the list
(1) eap: Peer sent packet with method EAP TLS (13)
(1) eap: Calling submodule eap_tls to process data
(1) eap_tls: Continuing EAP-TLS
(1) eap_tls: Got final TLS record fragment (190 bytes)
(1) eap_tls: WARNING: Total received TLS record fragments (190 bytes), does
not equal indicated TLS record length (0 bytes)
(1) eap_tls: [eaptls verify] = ok
(1) eap_tls: Done initial handshake
(1) eap_tls: (other): before SSL initialization
(1) eap_tls: TLS_accept: before SSL initialization
(1) eap_tls: TLS_accept: before SSL initialization
(1) eap_tls: <<< recv TLS 1.3 [length 00b9]
(1) eap_tls: TLS_accept: SSLv3/TLS read client hello
(1) eap_tls: >>> send TLS 1.2 [length 0035]
(1) eap_tls: TLS_accept: SSLv3/TLS write server hello
(1) eap_tls: >>> send TLS 1.2 [length 0707]
(1) eap_tls: TLS_accept: SSLv3/TLS write certificate
(1) eap_tls: >>> send TLS 1.2 [length 00af]
(1) eap_tls: TLS_accept: SSLv3/TLS write certificate request
(1) eap_tls: >>> send TLS 1.2 [length 0004]
(1) eap_tls: TLS_accept: SSLv3/TLS write server done
(1) eap_tls: TLS_accept: Need to read more data: SSLv3/TLS write server done
(1) eap_tls: TLS - In Handshake Phase
(1) eap_tls: TLS - got 2051 bytes of data
(1) eap_tls: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 236 length 1024
(1) eap: EAP session adding &reply:State = 0x3c1cb3283df0be5d
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) Sent Access-Challenge Id 1 from 172.17.0.3:1812 to 104.132.1.66:42257
length 0
(1) EAP-Message =
0x01ec04000dc0000008031603030035020000310303cce50e6fc3074f99584c4bbd99b4b26f5eddf075568fd37fd1954ad7a144c66f00009d000009ff010001000017000016030307070b00070300070000033e3082033a30820222020107300d06092a864886f70d01010b05003071310b30090603550406130255533116301406035504080c0d4d617373616368757365747473310f300d06035504070c06426f73746f6e31133011060355040a0c0a427574746f6e776f6f643124302206035504030c1b427574746f6e776f6f642054657374204341204465632032303138301e170d3138313231393231303133365a170d3138313232393231303133365a3055310b30090603550406130255533116301406035504080c0d4d61737361636875736574747331163014060355040a0c0d526164697573205365727665723116301406035504030c0d5261646975732053657276657230820122300d06092a864886f70d01010105000382010f003082010a02820101
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x3c1cb3283df0be5deafe5da3e677933c
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 2 from 104.132.1.66:42257 to 172.17.0.3:1812
length 143
(2) User-Name = "myusername"
(2) NAS-IP-Address = 127.0.0.1
(2) Calling-Station-Id = "02-00-00-00-00-01"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Connect-Info = "CONNECT 11Mbps 802.11b"
(2) EAP-Message = 0x02ec00060d00
(2) State = 0x3c1cb3283df0be5deafe5da3e677933c
(2) Message-Authenticator = 0xfcf988c59d274c385b0cb87554a6fb82
(2) session-state: No cached attributes
(2) # Executing section authorize from file ./radiusd.conf
(2) authorize {
(2) eap: Peer sent EAP Response (code 2) ID 236 length 6
(2) eap: No EAP Start, assuming it's an on-going EAP conversation
(2) [eap] = updated
(2) } # authorize = updated
(2) Found Auth-Type = eap
(2) # Executing group from file ./radiusd.conf
(2) authenticate {
(2) eap: Expiring EAP session with state 0x3c1cb3283df0be5d
(2) eap: Finished EAP session with state 0x3c1cb3283df0be5d
(2) eap: Previous EAP request found for state 0x3c1cb3283df0be5d, released
from the list
(2) eap: Peer sent packet with method EAP TLS (13)
(2) eap: Calling submodule eap_tls to process data
(2) eap_tls: Continuing EAP-TLS
(2) eap_tls: Peer ACKed our handshake fragment
(2) eap_tls: [eaptls verify] = request
(2) eap_tls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 237 length 1024
(2) eap: EAP session adding &reply:State = 0x3c1cb3283ef1be5d
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) Sent Access-Challenge Id 2 from 172.17.0.3:1812 to 104.132.1.66:42257
length 0
(2) EAP-Message =
0x01ed04000dc00000080374746f6e776f6f643124302206035504030c1b427574746f6e776f6f642054657374204341204465632032303138301e170d3138313231393136353033385a170d3139303131383136353033385a3071310b30090603550406130255533116301406035504080c0d4d617373616368757365747473310f300d06035504070c06426f73746f6e31133011060355040a0c0a427574746f6e776f6f643124302206035504030c1b427574746f6e776f6f64205465737420434120446563203230313830820122300d06092a864886f70d01010105000382010f003082010a0282010100a510110045315159b7107ba22629b7a59c16da413ed72112277d4498e02a6f7456d63444de8038dd72cc2094cc0c29b735d05004292b0721dec7b6c781ef06c9703069077776c7984927763fb06a77d11cfeb7fe080edad8d52d471f9c9c125a4cd0a9a35d0d9ada21a3ccaf74a6fde206b7a9c7533cadd02669d58e5aed57e3993851b296199134b8f355
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x3c1cb3283ef1be5deafe5da3e677933c
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 3 from 104.132.1.66:42257 to 172.17.0.3:1812
length 143
(3) User-Name = "myusername"
(3) NAS-IP-Address = 127.0.0.1
(3) Calling-Station-Id = "02-00-00-00-00-01"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Connect-Info = "CONNECT 11Mbps 802.11b"
(3) EAP-Message = 0x02ed00060d00
(3) State = 0x3c1cb3283ef1be5deafe5da3e677933c
(3) Message-Authenticator = 0xcbc352d3a078978d17e6fa7616a196e4
(3) session-state: No cached attributes
(3) # Executing section authorize from file ./radiusd.conf
(3) authorize {
(3) eap: Peer sent EAP Response (code 2) ID 237 length 6
(3) eap: No EAP Start, assuming it's an on-going EAP conversation
(3) [eap] = updated
(3) } # authorize = updated
(3) Found Auth-Type = eap
(3) # Executing group from file ./radiusd.conf
(3) authenticate {
(3) eap: Expiring EAP session with state 0x3c1cb3283ef1be5d
(3) eap: Finished EAP session with state 0x3c1cb3283ef1be5d
(3) eap: Previous EAP request found for state 0x3c1cb3283ef1be5d, released
from the list
(3) eap: Peer sent packet with method EAP TLS (13)
(3) eap: Calling submodule eap_tls to process data
(3) eap_tls: Continuing EAP-TLS
(3) eap_tls: Peer ACKed our handshake fragment
(3) eap_tls: [eaptls verify] = request
(3) eap_tls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 238 length 33
(3) eap: EAP session adding &reply:State = 0x3c1cb3283ff2be5d
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) Sent Access-Challenge Id 3 from 172.17.0.3:1812 to 104.132.1.66:42257
length 0
(3) EAP-Message =
0x01ee00210d8000000803737420434120446563203230313816030300040e000000
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x3c1cb3283ff2be5deafe5da3e677933c
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 4 from 104.132.1.66:42257 to 172.17.0.3:1812
length 150
(4) User-Name = "myusername"
(4) NAS-IP-Address = 127.0.0.1
(4) Calling-Station-Id = "02-00-00-00-00-01"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Connect-Info = "CONNECT 11Mbps 802.11b"
(4) EAP-Message = 0x02ee000d0d0015030300020230
(4) State = 0x3c1cb3283ff2be5deafe5da3e677933c
(4) Message-Authenticator = 0x6a8e3ca3d60a68499ed73d0b8dd61b82
(4) session-state: No cached attributes
(4) # Executing section authorize from file ./radiusd.conf
(4) authorize {
(4) eap: Peer sent EAP Response (code 2) ID 238 length 13
(4) eap: No EAP Start, assuming it's an on-going EAP conversation
(4) [eap] = updated
(4) } # authorize = updated
(4) Found Auth-Type = eap
(4) # Executing group from file ./radiusd.conf
(4) authenticate {
(4) eap: Expiring EAP session with state 0x3c1cb3283ff2be5d
(4) eap: Finished EAP session with state 0x3c1cb3283ff2be5d
(4) eap: Previous EAP request found for state 0x3c1cb3283ff2be5d, released
from the list
(4) eap: Peer sent packet with method EAP TLS (13)
(4) eap: Calling submodule eap_tls to process data
(4) eap_tls: Continuing EAP-TLS
(4) eap_tls: [eaptls verify] = ok
(4) eap_tls: Done initial handshake
(4) eap_tls: <<< recv TLS 1.2 [length 0002]
(4) eap_tls: ERROR: TLS Alert read:fatal:unknown CA
(4) eap_tls: TLS_accept: Need to read more data: error
(4) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL
routines:ssl3_read_bytes:tlsv1 alert unknown ca
(4) eap_tls: TLS - In Handshake Phase
(4) eap_tls: TLS - Application data.
(4) eap_tls: ERROR: TLS failed during operation
(4) eap_tls: ERROR: [eaptls process] = fail
(4) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module
failed
(4) eap: Sending EAP Failure (code 4) ID 238 length 4
(4) eap: Failed in EAP select
(4) [eap] = invalid
(4) } # authenticate = invalid
(4) Failed to authenticate the user
(4) Using Post-Auth-Type Reject
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(4) Sending delayed response
(4) Sent Access-Reject Id 4 from 172.17.0.3:1812 to 104.132.1.66:42257
length 44
(4) EAP-Message = 0x04ee0004
(4) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 0 with timestamp +61
(1) Cleaning up request packet ID 1 with timestamp +61
(2) Cleaning up request packet ID 2 with timestamp +61
(3) Cleaning up request packet ID 3 with timestamp +61
(4) Cleaning up request packet ID 4 with timestamp +61
Ready to process requests
Any ideas? Thanks in advance!
Best,
Holly
More information about the Freeradius-Users
mailing list