On May 26, 2015, at 6:27 PM, Ben Humpert <ben@an3k.de> wrote:
While Windows (including XP) as well as Apple clients (including iOS) are working great Android has issues connecting using EAP-TLS. As soon as I select a CA certificate in Android the connection is not possible. If I don't select any CA certificate the connection works,
Because it's not validating the CA cert in that case.
beside it's actually not EAP-TLS since the server certificate is not validated.
Exactly.
Just for my understanding, in the above debug output which side of the
and <<< is the RADIUS server and which is the client? Does the second line means the server (left) read from the client (right)? If so does the last line means the server (left) wrote to the client (right)?
Yes.
The debug output of the failing Android EAP-TLS attempt is below - in case someone is interested.
Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca Wed May 27 00:10:44 2015 : ERROR: (89) eap_tls: TLS Alert read:fatal:unknown CA Wed May 27 00:10:44 2015 : ERROR: (89) eap_tls: TLS_accept: Failed in SSLv3 read client certificate A
The client certificate was signed by a CA unknown to FreeRADIUS. You need to put the CA in the raddb/certs directory, and configure FreeRADIUS to read it. Alan DeKok.