20250907
This commit is contained in:
Petar Cubela
134
projects/gg/freeradius/homelab/20250726-tls_certs_peap.md
Normal file
134
projects/gg/freeradius/homelab/20250726-tls_certs_peap.md
Normal file
@@ -0,0 +1,134 @@
|
||||
|
||||
The error **"TLS Alert: fatal: unknown CA"** indicates that the client (your phone) is trying to establish a **TLS connection** with the FreeRADIUS server, but it **cannot verify the server's certificate** because the **CA (Certificate Authority)** is not trusted. This is a **common issue when using PEAP (Protected Extensible Authentication Protocol)** with TLS. Let's fix it step by step.
|
||||
|
||||
---
|
||||
|
||||
### **1. Understand the Root Cause**
|
||||
- **PEAP (PEAP-MSCHAPv2)** requires **TLS** for secure communication.
|
||||
- Your phone is trying to connect to the FreeRADIUS server using **PEAP**, but the server is not presenting a **trusted certificate**.
|
||||
- The client (phone) is not trusting the **CA** that signed the server's certificate.
|
||||
|
||||
---
|
||||
|
||||
### **2. Fix: Configure TLS for PEAP on FreeRADIUS**
|
||||
You need to **set up a valid TLS certificate** for the FreeRADIUS server. Here's how:
|
||||
|
||||
#### **A. Generate a Self-Signed Certificate (For Testing)**
|
||||
If you're in a testing environment, you can create a **self-signed certificate**. This will work for testing but won't be trusted by phones (unless manually added).
|
||||
|
||||
1. **Generate a private key and certificate:**
|
||||
```bash
|
||||
openssl req -x509 -newkey rsa:2048 -keyout /etc/freeradius/certs/your_radius_server.key -out /etc/freeradius/certs/your_radius_server.crt -days 365 -nodes
|
||||
```
|
||||
- Replace `your_radius_server.crt` and `your_radius_server.key` with your server's certificate and key.
|
||||
|
||||
2. **Set correct permissions:**
|
||||
```bash
|
||||
chown -R freeradius:freeradius /etc/freeradius/certs/
|
||||
chmod 600 /etc/freeradius/certs/your_radius_server.key
|
||||
chmod 644 /etc/freeradius/certs/your_radius_server.crt
|
||||
```
|
||||
|
||||
#### **B. Configure FreeRADIUS to Use the Certificate**
|
||||
Update `/etc/freeradius/eap.conf` to use the certificate:
|
||||
|
||||
```ini
|
||||
eap {
|
||||
default_eap_type = peap
|
||||
timer_expire = 60
|
||||
max_sessions = 256
|
||||
|
||||
peap {
|
||||
# Path to your certificate and key
|
||||
certificate = /etc/freeradius/certs/your_radius_server.crt
|
||||
private_key = /etc/freeradius/certs/your_radius_server.key
|
||||
ca_list = /etc/freeradius/certs/ca.crt # Optional: If you're using a chain
|
||||
dh_file = /etc/freeradius/certs/dh2048.pem # Optional: Diffie-Hellman parameters
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
- If you're using a **self-signed certificate**, skip the `ca_list` line.
|
||||
- If you're using a **trusted CA**, ensure the `ca_list` contains the CA's certificate.
|
||||
|
||||
#### **C. Generate Diffie-Hellman Parameters (Optional)**
|
||||
For stronger TLS security:
|
||||
```bash
|
||||
openssl dhparam -out /etc/freeradius/certs/dh2048.pem 2048
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### **3. Ensure the Client (Phone) Trusts the Certificate**
|
||||
If you're using a **self-signed certificate**, the phone must trust it manually. Here's how:
|
||||
|
||||
#### **A. Export the Server's Certificate**
|
||||
1. Use `openssl` to extract the certificate from the `.crt` file:
|
||||
```bash
|
||||
openssl x509 -in /etc/freeradius/certs/your_radius_server.crt -outform der -out /path/to/cert.der
|
||||
```
|
||||
|
||||
2. Convert it to PEM format (optional):
|
||||
```bash
|
||||
openssl x509 -in your_radius_server.crt -out your_radius_server.pem
|
||||
```
|
||||
|
||||
#### **B. Install the Certificate on the Phone**
|
||||
- **Android**:
|
||||
1. Go to **Settings > Security > Trusted Credentials > User Certificates**.
|
||||
2. Import the `.der` or `.pem` file.
|
||||
- **iOS**:
|
||||
1. Go to **Settings > General > About > Certificate Trust Settings**.
|
||||
2. Add the certificate to the trusted list (may require a certificate from a trusted CA).
|
||||
|
||||
#### **C. Use a Trusted CA (Recommended for Production)**
|
||||
If you're using a certificate from a **trusted CA** (e.g., Let's Encrypt), ensure:
|
||||
- The certificate is correctly installed.
|
||||
- The **CA chain** is complete (e.g., intermediate certificates are included).
|
||||
- The phone's trust store includes the CA's certificate.
|
||||
|
||||
---
|
||||
|
||||
### **4. Verify FreeRADIUS TLS Configuration**
|
||||
1. **Restart FreeRADIUS**:
|
||||
```bash
|
||||
systemctl restart freeradius
|
||||
```
|
||||
|
||||
2. **Check Logs for TLS Errors**:
|
||||
```bash
|
||||
tail -f /var/log/freeradius/radius.log
|
||||
```
|
||||
Look for:
|
||||
- `TLS: Server certificate is not trusted`
|
||||
- `TLS: No trusted certificate found`
|
||||
|
||||
3. **Test with `radtest`** (Ensure PEAP is working):
|
||||
```bash
|
||||
radtest testuser password 10.56.1.251 0 YOUR_SHARED_SECRET
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### **5. Advanced: Debug TLS Handshake**
|
||||
If the issue persists, enable **TLS debugging** in `eap.conf`:
|
||||
```ini
|
||||
eap {
|
||||
debug = yes
|
||||
...
|
||||
}
|
||||
```
|
||||
Then check the logs for detailed TLS handshake errors.
|
||||
|
||||
---
|
||||
|
||||
### **Summary of Fixes**
|
||||
| Step | Action |
|
||||
|------|--------|
|
||||
| 1 | Generate a valid TLS certificate (self-signed or trusted CA) |
|
||||
| 2 | Configure FreeRADIUS to use the certificate in `eap.conf` |
|
||||
| 3 | Install the certificate on the phone (or ensure the CA is trusted) |
|
||||
| 4 | Restart FreeRADIUS and verify TLS is working |
|
||||
| 5 | Debug with `debug = yes` if issues persist |
|
||||
|
||||
After these steps, the **"unknown CA"** error should resolve, and your phone should be able to connect securely via PEAP. Let me know if you need help with certificate chains or CA trust setup! 🚀
|
||||
Reference in New Issue
Block a user