For user authentication via the EAP-PEAP, a certificate issued by a public certification authority is used. As a result, no certificate-related actions are required on the client side for certificate validation. This certificate is issued with a validity period of one year and must be renewed upon expiration.

The certificate expiration date can be checked using the following command:

sudo docker exec -it naice-radius openssl x509 -in /etc/raddb/certs/tls/trusted_server_chain.crt -noout -enddate
notAfter=Jan 27 09:29:53 2027 GMT

By default, the certificate is embedded in the container and is updated as new NAICE versions are released. For older versions, manual certificate updates are required. If necessary, a custom third-party certificate can also be used.

The certificate current at the time of this NAICE release is: radius_certs_to_27012027.tar.gz

Starting with version 1.0.2, a dedicated playbook is available for certificate updates: v1.1_3.11 Updating/replacing RADIUS certificates for EAP-PEAP/TLS using Ansible playbooks

To manually replace the RADIUS server certificates, perform the following steps:

  1. On the NAICE server, create a directory where the certificates from the archive will be stored (for example, /NAICE-installation-directory/tls):

    sudo mkdir /etc/docker-naice/tls
  2. Copy the certificate files to the newly created directory.

  3. Verify and, if necessary, assign the correct file ownership and permissions:

    sudo chown root:root /etc/docker-naice/tls
sudo chmod 600 /etc/docker-naice/tls

  4. Mount the certificate directory into the naice-radius container using a volume by editing the docker-compose.yml file:

    docker-compose.yml 
      naice-radius:
  [...]
    volumes:
      - ${RADIUS_LOG_PATH}:/opt/var/log/radius
      - ./tls:/opt/etc/raddb/certs/tls

  5. Specify the names of the new certificate files in the .env environment variables if they differ from the existing ones. If required, specify the password for the certificate private key file:

    .env
    RADIUS_CERTS_CA_CERT_FILE: trusted_server.crt             # root (CA) certificate file name
RADIUS_CERTS_PRIVATE_KEY_FILE: trusted_server.k           # server certificate private key file name
RADIUS_CERTS_PRIVATE_KEY_PASSWORD:                        # password for the server certificate private key file; leave empty if the private key is not password-protected
RADIUS_CERTS_CERTIFICATE_FILE: trusted_server_chain.crt   # server certificate file name

  6. Apply the changes by restarting the naice-radius container:

    sudo docker compose down naice-radius && sudo docker compose up -d naice-radius

  7. Verify that the naice-radius container has started successfully.

    $ sudo docker compose ps -a naice-radius
NAME                COMMAND                  SERVICE             STATUS              PORTS
naice-radius        "/docker-entrypoint.…"   naice-radius        running (healthy)   0.0.0.0:1812-1813->1812-1813/udp, 0.0.0.0:9812->9812/tcp, :::1812-1813->1812-1813/udp, :::9812->9812/tcp

  8. If the container fails to start, review the logs for errors using the following command:

    $ sudo docker compose logs naice-radius
  9. Verify that EAP-PEAP authentication is functioning correctly.
  • Нет меток