CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
notes/projects/gg/freeradius/homelab/20250726-tls_certs_peap.md
Petar Cubela 584265c22c 20250907
2025-09-07 13:07:01 +02:00

4.9 KiB
Raw Permalink Blame History

The error "TLS Alert: fatal: unknown CA" indicates that the client (your phone) is trying to establish a TLS connection with the FreeRADIUS server, but it cannot verify the server's certificate because the CA (Certificate Authority) is not trusted. This is a common issue when using PEAP (Protected Extensible Authentication Protocol) with TLS. Let's fix it step by step.

1. Understand the Root Cause

  • PEAP (PEAP-MSCHAPv2) requires TLS for secure communication.
  • Your phone is trying to connect to the FreeRADIUS server using PEAP, but the server is not presenting a trusted certificate.
  • The client (phone) is not trusting the CA that signed the server's certificate.

2. Fix: Configure TLS for PEAP on FreeRADIUS

You need to set up a valid TLS certificate for the FreeRADIUS server. Here's how:

A. Generate a Self-Signed Certificate (For Testing)

If you're in a testing environment, you can create a self-signed certificate. This will work for testing but won't be trusted by phones (unless manually added).

  1. Generate a private key and certificate:

    openssl req -x509 -newkey rsa:2048 -keyout /etc/freeradius/certs/your_radius_server.key -out /etc/freeradius/certs/your_radius_server.crt -days 365 -nodes
    • Replace your_radius_server.crt and your_radius_server.key with your server's certificate and key.

  2. Set correct permissions:

    chown -R freeradius:freeradius /etc/freeradius/certs/
chmod 600 /etc/freeradius/certs/your_radius_server.key
chmod 644 /etc/freeradius/certs/your_radius_server.crt

B. Configure FreeRADIUS to Use the Certificate

Update /etc/freeradius/eap.conf to use the certificate:

eap {
    default_eap_type = peap
    timer_expire = 60
    max_sessions = 256

    peap {
        # Path to your certificate and key
        certificate = /etc/freeradius/certs/your_radius_server.crt
        private_key = /etc/freeradius/certs/your_radius_server.key
        ca_list = /etc/freeradius/certs/ca.crt  # Optional: If you're using a chain
        dh_file = /etc/freeradius/certs/dh2048.pem  # Optional: Diffie-Hellman parameters
    }
}
  • If you're using a self-signed certificate, skip the ca_list line.
  • If you're using a trusted CA, ensure the ca_list contains the CA's certificate.

C. Generate Diffie-Hellman Parameters (Optional)

For stronger TLS security:

openssl dhparam -out /etc/freeradius/certs/dh2048.pem 2048

3. Ensure the Client (Phone) Trusts the Certificate

If you're using a self-signed certificate, the phone must trust it manually. Here's how:

A. Export the Server's Certificate

  1. Use openssl to extract the certificate from the .crt file:

    openssl x509 -in /etc/freeradius/certs/your_radius_server.crt -outform der -out /path/to/cert.der

  2. Convert it to PEM format (optional):

    openssl x509 -in your_radius_server.crt -out your_radius_server.pem

B. Install the Certificate on the Phone

  • Android:
    1. Go to Settings > Security > Trusted Credentials > User Certificates.
    2. Import the .der or .pem file.
  • iOS:
    1. Go to Settings > General > About > Certificate Trust Settings.
    2. Add the certificate to the trusted list (may require a certificate from a trusted CA).

C. Use a Trusted CA (Recommended for Production)

If you're using a certificate from a trusted CA (e.g., Let's Encrypt), ensure:

  • The certificate is correctly installed.
  • The CA chain is complete (e.g., intermediate certificates are included).
  • The phone's trust store includes the CA's certificate.

4. Verify FreeRADIUS TLS Configuration

  1. Restart FreeRADIUS:

    systemctl restart freeradius

  2. Check Logs for TLS Errors:

    tail -f /var/log/freeradius/radius.log

    Look for:

    • TLS: Server certificate is not trusted
    • TLS: No trusted certificate found

  3. Test with radtest (Ensure PEAP is working):

    radtest testuser password 10.56.1.251 0 YOUR_SHARED_SECRET

5. Advanced: Debug TLS Handshake

If the issue persists, enable TLS debugging in eap.conf:

eap {
    debug = yes
    ...
}

Then check the logs for detailed TLS handshake errors.

Summary of Fixes

Step Action
1 Generate a valid TLS certificate (self-signed or trusted CA)
2 Configure FreeRADIUS to use the certificate in eap.conf
3 Install the certificate on the phone (or ensure the CA is trusted)
4 Restart FreeRADIUS and verify TLS is working
5 Debug with debug = yes if issues persist

After these steps, the "unknown CA" error should resolve, and your phone should be able to connect securely via PEAP. Let me know if you need help with certificate chains or CA trust setup! 🚀

Reference in New Issue View Git Blame Copy Permalink