Android 2.3.5 supplicants failing after upgrade to FreeRADIUS 2.2.5 from 2.2.0

Robert Franklin rcf34 at cam.ac.uk
Mon Jun 2 21:30:56 CEST 2014


On 2 Jun 2014, at 13:56, Robert Franklin <rcf34 at cam.ac.uk> wrote:

> The EAP tunnel doesn't get established as things stop before then, so we haven't even checked the inner username yet.

I've done some further testing with eapol_test compiled under Linux.  I can't get this to authenticate at all, so I either have it misconfigured or the server problem extends to this.

I've attached the output from eapol_test to see if someone can make sense of it.  I can see the certificate chain and CA being reported as being sent by the server, but there is also this part (full stuff in the attached file):

CTRL-EVENT-EAP-TLS-CERT-ERROR reason=10 depth=0 subject='/C=GB/ST=England/L=Cambridge/O=University of Cambridge/OU=Computing Service/CN=network.tokens.csx.cam.ac.uk' err='Server used client certificate'
EAP: Status notification: remote certificate verification (param=Server used client certificate)
SSL: (where=0x4008 ret=0x22e)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:certificate unknown
EAP: Status notification: local TLS alert (param=certificate unknown)
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server certificate B
OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I'm not sure if this is the problem, but then I don't know if this error is correct or not.  I have this in the configuration file (as the only network - there is lots of other stuff at the top:

network={
	ssid="eduroam"
	key_mgmt=WPA-EAP
	eap=PEAP
	identity="300-145-354 at wireless.cam.ac.uk"
	anonymous_identity="@cam.ac.uk"
	password="a4bumip3"
	ca_cert="/usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt"
	phase1="peaplabel=1"
	phase2="autheap=MSCHAPV2"
}


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: eapol_test_output.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140602/73cc4379/attachment-0001.txt>
-------------- next part --------------



If there's some extra test I should be trying or a misconfiguration in the test, please let me know.

I do now have a blank Android 2.3.5 phone (an HTC Wildfire S - stop dribbling at the back there!) and it is failing in the same way as the other users.

  - Bob


-- 
Bob Franklin   rcf34 at cam.ac.uk / +44 1223 748479
Networks, University Information Services, University of Cambridge



More information about the Freeradius-Users mailing list