The error **"TLS Alert: fatal: unknown CA"** indicates that the client (your phone) is trying to establish a **TLS connection** with the FreeRADIUS server, but it **cannot verify the server's certificate** because the **CA (Certificate Authority)** is not trusted. This is a **common issue when using PEAP (Protected Extensible Authentication Protocol)** with TLS. Let's fix it step by step. --- ### **1. Understand the Root Cause** - **PEAP (PEAP-MSCHAPv2)** requires **TLS** for secure communication. - Your phone is trying to connect to the FreeRADIUS server using **PEAP**, but the server is not presenting a **trusted certificate**. - The client (phone) is not trusting the **CA** that signed the server's certificate. --- ### **2. Fix: Configure TLS for PEAP on FreeRADIUS** You need to **set up a valid TLS certificate** for the FreeRADIUS server. Here's how: #### **A. Generate a Self-Signed Certificate (For Testing)** If you're in a testing environment, you can create a **self-signed certificate**. This will work for testing but won't be trusted by phones (unless manually added). 1. **Generate a private key and certificate:** ```bash openssl req -x509 -newkey rsa:2048 -keyout /etc/freeradius/certs/your_radius_server.key -out /etc/freeradius/certs/your_radius_server.crt -days 365 -nodes ``` - Replace `your_radius_server.crt` and `your_radius_server.key` with your server's certificate and key. 2. **Set correct permissions:** ```bash chown -R freeradius:freeradius /etc/freeradius/certs/ chmod 600 /etc/freeradius/certs/your_radius_server.key chmod 644 /etc/freeradius/certs/your_radius_server.crt ``` #### **B. Configure FreeRADIUS to Use the Certificate** Update `/etc/freeradius/eap.conf` to use the certificate: ```ini eap { default_eap_type = peap timer_expire = 60 max_sessions = 256 peap { # Path to your certificate and key certificate = /etc/freeradius/certs/your_radius_server.crt private_key = /etc/freeradius/certs/your_radius_server.key ca_list = /etc/freeradius/certs/ca.crt # Optional: If you're using a chain dh_file = /etc/freeradius/certs/dh2048.pem # Optional: Diffie-Hellman parameters } } ``` - If you're using a **self-signed certificate**, skip the `ca_list` line. - If you're using a **trusted CA**, ensure the `ca_list` contains the CA's certificate. #### **C. Generate Diffie-Hellman Parameters (Optional)** For stronger TLS security: ```bash openssl dhparam -out /etc/freeradius/certs/dh2048.pem 2048 ``` --- ### **3. Ensure the Client (Phone) Trusts the Certificate** If you're using a **self-signed certificate**, the phone must trust it manually. Here's how: #### **A. Export the Server's Certificate** 1. Use `openssl` to extract the certificate from the `.crt` file: ```bash openssl x509 -in /etc/freeradius/certs/your_radius_server.crt -outform der -out /path/to/cert.der ``` 2. Convert it to PEM format (optional): ```bash openssl x509 -in your_radius_server.crt -out your_radius_server.pem ``` #### **B. Install the Certificate on the Phone** - **Android**: 1. Go to **Settings > Security > Trusted Credentials > User Certificates**. 2. Import the `.der` or `.pem` file. - **iOS**: 1. Go to **Settings > General > About > Certificate Trust Settings**. 2. Add the certificate to the trusted list (may require a certificate from a trusted CA). #### **C. Use a Trusted CA (Recommended for Production)** If you're using a certificate from a **trusted CA** (e.g., Let's Encrypt), ensure: - The certificate is correctly installed. - The **CA chain** is complete (e.g., intermediate certificates are included). - The phone's trust store includes the CA's certificate. --- ### **4. Verify FreeRADIUS TLS Configuration** 1. **Restart FreeRADIUS**: ```bash systemctl restart freeradius ``` 2. **Check Logs for TLS Errors**: ```bash tail -f /var/log/freeradius/radius.log ``` Look for: - `TLS: Server certificate is not trusted` - `TLS: No trusted certificate found` 3. **Test with `radtest`** (Ensure PEAP is working): ```bash radtest testuser password 10.56.1.251 0 YOUR_SHARED_SECRET ``` --- ### **5. Advanced: Debug TLS Handshake** If the issue persists, enable **TLS debugging** in `eap.conf`: ```ini eap { debug = yes ... } ``` Then check the logs for detailed TLS handshake errors. --- ### **Summary of Fixes** | Step | Action | |------|--------| | 1 | Generate a valid TLS certificate (self-signed or trusted CA) | | 2 | Configure FreeRADIUS to use the certificate in `eap.conf` | | 3 | Install the certificate on the phone (or ensure the CA is trusted) | | 4 | Restart FreeRADIUS and verify TLS is working | | 5 | Debug with `debug = yes` if issues persist | After these steps, the **"unknown CA"** error should resolve, and your phone should be able to connect securely via PEAP. Let me know if you need help with certificate chains or CA trust setup! 🚀