Thank you very much for replying ! By client, do you mean the WiFi access point or the Android device ? Le mar. 28 juin 2022 à 22:13, Alan DeKok <aland@deployingradius.com> a écrit :
On Jun 28, 2022, at 10:54 AM, Olivier <oza.4h07@gmail.com> wrote:
For some times now, Android 11 requires cert validation in WiFi connections (see [1]). At the same time, Android 11 also makes it much harder for end users to import self-signed root CA (see [2]). As I provide WiFi connectivity in BYOD environments and can't help end users when they import certs, I choosed to test PEAP/MSCHAPv2 with LetsEncrypt certs though I know this would be less secure than with self-signed root CA.
That's fine.
My lab setup includes: - a Freeradius 3.0.21 on Debian Bullseye
I would very much suggest using 3.2.0. It has better debugging for TLS. And packages are available on http://packages.networkradius.com
(26) eap_peap: <<< recv TLS 1.3 [length 007e]
i.e. from the client
(26) eap_peap: TLS_accept: SSLv3/TLS read client hello (26) eap_peap: >>> send TLS 1.2 [length 003d]
i.e. FreeRADIUS is sending this.
(31) eap_peap: <<< recv TLS 1.2 [length 0002] (31) eap_peap: ERROR: TLS Alert read:fatal:certificate expired
The client is sending this message to FreeRADIUS.
i.e. the client doesn't like the certificate sent by FreeRADIUS.
If the certificate isn't expired, then you need to fix the client. Either it's time is wrong, or something else is going on.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html