On Mar 24, 2022, at 6:13 PM, Ben Dronen <dronenb@andrews.edu> wrote:
Thank you all for your hard work in keeping FreeRadius excellent. I am currently running FreeRADIUS 3.0.20. I am looking to solve an issue with using a certificate purchased from GlobalSign with Android 11 clients. When connecting to WiFi, we select EAP-PEAP and MSCHAPv2, then as the domain we put the CA of the certificate we purchased, but when connecting, we get the "ERROR: TLS Alert read:fatal:unknown CA".
Which means that the CA isn't known to the Android device.
I have seen some information on this error in previous threads (Alan DeKok said in a previous thread that "That's an alert from the client. It doesn't recognize the CA which signed the server certificate.").
Yes.
However, according to the list of official CA's found here: https://android.googlesource.com/platform/system/ca-certificates/+/master/fi..., the GlobalSign Root CA is part of Android (filename b0f3e76e.0).
That's for *web* use. If you want to use that CA for *Wifi* you have to enable it manually.
I was able to get this working fine with a Let's Encrypt Certificate (using cert.pem as the certificate_file in mods-enabled/eap and fullchain.pem as the ca_file in mods-enabled/eap). However, this isn't working with the GlobalSign cert.pem and fullchain.pem (which I created manually with the certificate and CA chain). Does anybody have any insights?
Configure Wifi / EAP on the Android device so that it accepts the CA you're using. Nothing else will fix the problem.
When making the fullchain.pem (shown below), I did it in this order: server, intermediate, then root, like the Let's Encrypt fullchain.pem was, to no avail. The reason we are using a GlobalSign certificate instead of the Let's Encrypt certificate is so iOS users don't have to re-accept a new certificate every 90 days, only once per year. The reason for needing a cert from a signed CA is so Android users don't have to import a CA to get on our 802.1x network. My insights on the certificate chain have come from this article: https://extremeportal.force.com/ExtrArticleDetail?an=000092023
Which says to configure the Android device to "use system certificates". That hasn't been done here. Alan DeKok.