Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: TLS_accept: SSLv3 read client certificate A Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: TLS_accept: SSLv3 read client key exchange A Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: <<< TLS 1.0 Handshake [length 0106], CertificateVerify Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: TLS_accept: SSLv3 read certificate verify A Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: TLS_accept: SSLv3 read finished A Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: TLS_accept: SSLv3 write change cipher spec A Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: TLS_accept: SSLv3 write finished A Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: TLS_accept: SSLv3 flush data Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: (other): SSL negotiation finished successfully Wed May 27 00:16:37 2015 : Debug: SSL Connection Established While Windows (including XP) as well as Apple clients (including iOS) are working great Android has issues connecting using EAP-TLS. As soon as I select a CA certificate in Android the connection is not possible. If I don't select any CA certificate the connection works, beside it's actually not EAP-TLS since the server certificate is not validated. Just for my understanding, in the above debug output which side of the
and <<< is the RADIUS server and which is the client? Does the second line means the server (left) read from the client (right)? If so does the last line means the server (left) wrote to the client (right)?
The debug output of the failing Android EAP-TLS attempt is below - in case someone is interested. Wed May 27 00:10:44 2015 : Debug: (89) eap: EAP TLS (13) Wed May 27 00:10:44 2015 : Debug: (89) eap: Calling eap_tls to process EAP data Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: Authenticate Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: processing EAP-TLS Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: eaptls_verify returned 7 Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: Done initial handshake Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca Wed May 27 00:10:44 2015 : ERROR: (89) eap_tls: TLS Alert read:fatal:unknown CA Wed May 27 00:10:44 2015 : ERROR: (89) eap_tls: TLS_accept: Failed in SSLv3 read client certificate A Wed May 27 00:10:44 2015 : ERROR: (89) eap_tls: SSL says: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Wed May 27 00:10:44 2015 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. Wed May 27 00:10:44 2015 : Debug: TLS receive handshake failed during operation Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: eaptls_process returned 4 Wed May 27 00:10:44 2015 : ERROR: (89) eap: Failed continuing EAP TLS (13) session. EAP sub-module failed And for everybody else. Here is the official error return codes page for openssl https://www.openssl.org/docs/ssl/SSL_alert_type_string.html