certificate expired with PEAP/MSCHAPv2/Android 11 in WiFi
Hello, For some times now, Android 11 requires cert validation in WiFi connections (see [1]). At the same time, Android 11 also makes it much harder for end users to import self-signed root CA (see [2]). As I provide WiFi connectivity in BYOD environments and can't help end users when they import certs, I choosed to test PEAP/MSCHAPv2 with LetsEncrypt certs though I know this would be less secure than with self-signed root CA. I'm planning to generate and renew LetsEncrypt cert on a remote Internet-connected host, and then copy both privkey.pem and fullchain.pem files to Freeradius instance, as suggested by [3]. In my lab setup, I'm using a Samsung Galaxy Tab A7 Lite to test. Though being Android 11-powered, this device also allows Do-Not-Validate pre-Android 11 option ! When I connect to WiFi with this device, I'm using the following settings: Identity: bar Password: whateverneeded CA Certificate: use system certificate Online cert status: do not validate Domain: the exact CN value My lab setup includes: - a Freeradius 3.0.21 on Debian Bullseye - a Unifi WiFi Network 6.5.55 with WiFi AP - a Samsung Galaxy Tab A7 Lite - valid LetsEncrypt certs My certs files are copied into Freeradius host as: # ls -l /etc/freeradius/3.0/certs/letsencrypt/ total 12 -rw-r----- 1 freerad freerad 5604 27 juin 19:04 fullchain.pem -rw------- 1 freerad freerad 1704 27 juin 19:04 privkey.pem # openssl x509 -dates -noout -in /etc/freeradius/3.0/certs/letsencrypt/fullchain.pem notBefore=May 28 17:32:21 2022 GMT notAfter=Aug 26 17:32:20 2022 GMT [1] https://internet-access-guide.com/android-wifi-ca-certificate-do-not-validat... [2] https://httptoolkit.tech/blog/android-11-trust-ca-certificates/ [3] https://framebyframewifi.net/2017/01/29/use-lets-encrypt-certificates-with-f... When I connect to WiFi, this is part of freeradius -X output: # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } ... rlm_mschap (mschap): using internal authentication # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/3.0/certs" pem_file_type = yes private_key_file = "/etc/freeradius/3.0/certs/letsencrypt/privkey.pem" certificate_file = "/etc/freeradius/3.0/certs/letsencrypt/fullchain.pem" ca_file = "/etc/ssl/certs/ca-certificates.crt" private_key_password = <<< secret >>> dh_file = "/etc/freeradius/3.0/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" disable_tlsv1 = yes disable_tlsv1_1 = yes tls_max_version = "1.2" tls_min_version = "1.2" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Please use tls_min_version and tls_max_version instead of disable_tlsv1 Please use tls_min_version and tls_max_version instead of disable_tlsv1_2 # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/3.0/radiusd.conf } # server server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:336 } # server inner-tunnel server default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on proxy address * port 56401 Listening on proxy address :: port 45775 Ready to process requests (26) eap: Peer sent EAP Response (code 2) ID 1 length 141 (26) eap: Continuing tunnel setup (26) [eap] = ok (26) } # authorize = ok (26) Found Auth-Type = eap (26) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (26) authenticate { (26) eap: Expiring EAP session with state 0xc733062dc6321fce (26) eap: Finished EAP session with state 0xc733062dc6321fce (26) eap: Previous EAP request found for state 0xc733062dc6321fce, released from the list (26) eap: Peer sent packet with method EAP PEAP (25) (26) eap: Calling submodule eap_peap to process data (26) eap_peap: Continuing EAP-TLS (26) eap_peap: Peer indicated complete TLS record size will be 131 bytes (26) eap_peap: Got complete TLS record (131 bytes) (26) eap_peap: [eaptls verify] = length included (26) eap_peap: (other): before SSL initialization (26) eap_peap: TLS_accept: before SSL initialization (26) eap_peap: TLS_accept: before SSL initialization (26) eap_peap: <<< recv TLS 1.3 [length 007e] (26) eap_peap: TLS_accept: SSLv3/TLS read client hello (26) eap_peap: >>> send TLS 1.2 [length 003d] (26) eap_peap: TLS_accept: SSLv3/TLS write server hello (26) eap_peap: >>> send TLS 1.2 [length 0fbe] (26) eap_peap: TLS_accept: SSLv3/TLS write certificate (26) eap_peap: >>> send TLS 1.2 [length 014d] (26) eap_peap: TLS_accept: SSLv3/TLS write key exchange (26) eap_peap: >>> send TLS 1.2 [length 0004] (26) eap_peap: TLS_accept: SSLv3/TLS write server done (26) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (26) eap_peap: TLS - In Handshake Phase (26) eap_peap: TLS - got 4448 bytes of data (26) eap_peap: [eaptls process] = handled (26) eap: Sending EAP Request (code 1) ID 2 length 1004 (26) eap: EAP session adding &reply:State = 0xc733062dc5311fce (26) [eap] = handled (26) } # authenticate = handled (26) Using Post-Auth-Type Challenge (26) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (26) Challenge { ... } # empty sub-section is ignored (26) Sent Access-Challenge Id 43 from 192.168.1.244:1812 to 192.168.1.50:58452 length 0 (26) EAP-Message = 0x010203ec19c000001160160303003d020000390303af5657898d92eefe5085a4ad3604bed4f0f0b48e39cd7ada954fbee1b104098800c02f000011ff01000100000b000403000102001700001603030fbe0b000fba000fb70005303082052c30820414a003020102021203734b50cf2bcbeb7c22ada836c00a3f624f300d06092a864886f70d01010b05003032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b3009060355040313025233301e170d3232303532383137333232315a170d3232303832363137333232305a301e311c301a06035504031313686f7374332e706572656e69702e636c6f756430820122300d06092a864886f70d01010105000382010f003082010a0282010100e653da7ed722cc166a21b4055852edc8973b7daa624eb8897805f735be194e49d231f0d04e2d091679c8a1f9075bf6051d24661042467c293e77827ed8de02eacf8132699f9aac89cb9471f1857c292dca4cc9d69608d7 (26) Message-Authenticator = 0x00000000000000000000000000000000 (26) State = 0xc733062dc5311fceda200d98107c2728 (26) Finished request Waking up in 4.9 seconds. (27) Received Access-Request Id 44 from 192.168.1.50:58452 to 192.168.1.244:1812 length 231 (27) User-Name = "bar" (27) NAS-IP-Address = 192.168.1.50 (27) NAS-Identifier = "f09fc2f50d43" (27) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany" (27) NAS-Port-Type = Wireless-802.11 (27) Service-Type = Framed-User (27) Calling-Station-Id = "2E-9A-17-FA-78-FA" (27) Connect-Info = "CONNECT 0Mbps 802.11b" (27) Acct-Session-Id = "2087B41CCAAC0F74" (27) Acct-Multi-Session-Id = "C546EF77BB09F037" (27) WLAN-Pairwise-Cipher = 1027076 (27) WLAN-Group-Cipher = 1027076 (27) WLAN-AKM-Suite = 1027073 (27) Framed-MTU = 1400 (27) EAP-Message = 0x020200061900 (27) State = 0xc733062dc5311fceda200d98107c2728 (27) Message-Authenticator = 0x39f4e95b5909f1152843a2e02fbaffde (27) session-state: No cached attributes (27) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (27) authorize { (27) policy filter_username { (27) if (&User-Name) { (27) if (&User-Name) -> TRUE (27) if (&User-Name) { (27) if (&User-Name =~ / /) { (27) if (&User-Name =~ / /) -> FALSE (27) if (&User-Name =~ /@[^@]*@/ ) { (27) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (27) if (&User-Name =~ /\.\./ ) { (27) if (&User-Name =~ /\.\./ ) -> FALSE (27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (27) if (&User-Name =~ /\.$/) { (27) if (&User-Name =~ /\.$/) -> FALSE (27) if (&User-Name =~ /@\./) { (27) if (&User-Name =~ /@\./) -> FALSE (27) } # if (&User-Name) = notfound (27) } # policy filter_username = notfound (27) [preprocess] = ok (27) [chap] = noop (27) [mschap] = noop (27) [digest] = noop (27) suffix: Checking for suffix after "@" (27) suffix: No '@' in User-Name = "bar", looking up realm NULL (27) suffix: No such realm "NULL" (27) [suffix] = noop (27) eap: Peer sent EAP Response (code 2) ID 2 length 6 (27) eap: Continuing tunnel setup (27) [eap] = ok (27) } # authorize = ok (27) Found Auth-Type = eap (27) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (27) authenticate { (27) eap: Expiring EAP session with state 0xc733062dc5311fce (27) eap: Finished EAP session with state 0xc733062dc5311fce (27) eap: Previous EAP request found for state 0xc733062dc5311fce, released from the list (27) eap: Peer sent packet with method EAP PEAP (25) (27) eap: Calling submodule eap_peap to process data (27) eap_peap: Continuing EAP-TLS (27) eap_peap: Peer ACKed our handshake fragment (27) eap_peap: [eaptls verify] = request (27) eap_peap: [eaptls process] = handled (27) eap: Sending EAP Request (code 1) ID 3 length 1000 (27) eap: EAP session adding &reply:State = 0xc733062dc4301fce (27) [eap] = handled (27) } # authenticate = handled (27) Using Post-Auth-Type Challenge (27) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (27) Challenge { ... } # empty sub-section is ignored (27) Sent Access-Challenge Id 44 from 192.168.1.244:1812 to 192.168.1.50:58452 length 0 (27) EAP-Message = 0x010303e81940cca15e2a9dd6bfa61b4d866fdcc7284c9a6a860076002979bef09e393921f056739f63a577e5be577d9c600af8f94d5d265c255dc784000001810bf0d4030000040300473045022037d7b0385f16f2b16e8903082d51bb15604c0262cd7473239d165e5ca5a858740221009c92c932de42f9d7883a89cd8ddc171d91a0f5b0d2e77b6886d1ea473f7fbe17300d06092a864886f70d01010b05000382010100731334fe1bbdc145631a0ddd0e7174e87df1da2cf6b032521bba82995c0460886e5b751c5f0b417ad32fa987caac9f61be48ec68673e33bc5a1deebe1004c5546cb3ef098495ab393bd60c614e132ad13e5fe0ca56106aeb92cf1f4e6de2f8f736bc1e94b7659439b711b931ba2174abb85ef05347b7d82f18411fe147f74939fbe311977c50c90b7c7720e890b59300fef66c0c7b84cd536cbde1aee6231f21550751613cba3ad52f48c82b2cc0de8e38764ba3c988a8cd37994500c1233288e294319b95c4600a48b3094eadf3ac1d68bf (27) Message-Authenticator = 0x00000000000000000000000000000000 (27) State = 0xc733062dc4301fceda200d98107c2728 (27) Finished request Waking up in 4.9 seconds. (28) Received Access-Request Id 45 from 192.168.1.50:58452 to 192.168.1.244:1812 length 231 (28) User-Name = "bar" (28) NAS-IP-Address = 192.168.1.50 (28) NAS-Identifier = "f09fc2f50d43" (28) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany" (28) NAS-Port-Type = Wireless-802.11 (28) Service-Type = Framed-User (28) Calling-Station-Id = "2E-9A-17-FA-78-FA" (28) Connect-Info = "CONNECT 0Mbps 802.11b" (28) Acct-Session-Id = "2087B41CCAAC0F74" (28) Acct-Multi-Session-Id = "C546EF77BB09F037" (28) WLAN-Pairwise-Cipher = 1027076 (28) WLAN-Group-Cipher = 1027076 (28) WLAN-AKM-Suite = 1027073 (28) Framed-MTU = 1400 (28) EAP-Message = 0x020300061900 (28) State = 0xc733062dc4301fceda200d98107c2728 (28) Message-Authenticator = 0x441e1d2d2df0e955fe4065c44cb93a6b (28) session-state: No cached attributes (28) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (28) authorize { (28) policy filter_username { (28) if (&User-Name) { (28) if (&User-Name) -> TRUE (28) if (&User-Name) { (28) if (&User-Name =~ / /) { (28) if (&User-Name =~ / /) -> FALSE (28) if (&User-Name =~ /@[^@]*@/ ) { (28) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (28) if (&User-Name =~ /\.\./ ) { (28) if (&User-Name =~ /\.\./ ) -> FALSE (28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (28) if (&User-Name =~ /\.$/) { (28) if (&User-Name =~ /\.$/) -> FALSE (28) if (&User-Name =~ /@\./) { (28) if (&User-Name =~ /@\./) -> FALSE (28) } # if (&User-Name) = notfound (28) } # policy filter_username = notfound (28) [preprocess] = ok (28) [chap] = noop (28) [mschap] = noop (28) [digest] = noop (28) suffix: Checking for suffix after "@" (28) suffix: No '@' in User-Name = "bar", looking up realm NULL (28) suffix: No such realm "NULL" (28) [suffix] = noop (28) eap: Peer sent EAP Response (code 2) ID 3 length 6 (28) eap: Continuing tunnel setup (28) [eap] = ok (28) } # authorize = ok (28) Found Auth-Type = eap (28) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (28) authenticate { (28) eap: Expiring EAP session with state 0xc733062dc4301fce (28) eap: Finished EAP session with state 0xc733062dc4301fce (28) eap: Previous EAP request found for state 0xc733062dc4301fce, released from the list (28) eap: Peer sent packet with method EAP PEAP (25) (28) eap: Calling submodule eap_peap to process data (28) eap_peap: Continuing EAP-TLS (28) eap_peap: Peer ACKed our handshake fragment (28) eap_peap: [eaptls verify] = request (28) eap_peap: [eaptls process] = handled (28) eap: Sending EAP Request (code 1) ID 4 length 1000 (28) eap: EAP session adding &reply:State = 0xc733062dc3371fce (28) [eap] = handled (28) } # authenticate = handled (28) Using Post-Auth-Type Challenge (28) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (28) Challenge { ... } # empty sub-section is ignored (28) Sent Access-Challenge Id 45 from 192.168.1.244:1812 to 192.168.1.50:58452 length 0 (28) EAP-Message = 0x010403e8194001ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10 (28) Message-Authenticator = 0x00000000000000000000000000000000 (28) State = 0xc733062dc3371fceda200d98107c2728 (28) Finished request Waking up in 4.9 seconds. (29) Received Access-Request Id 46 from 192.168.1.50:58452 to 192.168.1.244:1812 length 231 (29) User-Name = "bar" (29) NAS-IP-Address = 192.168.1.50 (29) NAS-Identifier = "f09fc2f50d43" (29) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany" (29) NAS-Port-Type = Wireless-802.11 (29) Service-Type = Framed-User (29) Calling-Station-Id = "2E-9A-17-FA-78-FA" (29) Connect-Info = "CONNECT 0Mbps 802.11b" (29) Acct-Session-Id = "2087B41CCAAC0F74" (29) Acct-Multi-Session-Id = "C546EF77BB09F037" (29) WLAN-Pairwise-Cipher = 1027076 (29) WLAN-Group-Cipher = 1027076 (29) WLAN-AKM-Suite = 1027073 (29) Framed-MTU = 1400 (29) EAP-Message = 0x020400061900 (29) State = 0xc733062dc3371fceda200d98107c2728 (29) Message-Authenticator = 0x662064b545b5aa385ea1ebd63c5d881b (29) session-state: No cached attributes (29) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (29) authorize { (29) policy filter_username { (29) if (&User-Name) { (29) if (&User-Name) -> TRUE (29) if (&User-Name) { (29) if (&User-Name =~ / /) { (29) if (&User-Name =~ / /) -> FALSE (29) if (&User-Name =~ /@[^@]*@/ ) { (29) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (29) if (&User-Name =~ /\.\./ ) { (29) if (&User-Name =~ /\.\./ ) -> FALSE (29) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (29) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (29) if (&User-Name =~ /\.$/) { (29) if (&User-Name =~ /\.$/) -> FALSE (29) if (&User-Name =~ /@\./) { (29) if (&User-Name =~ /@\./) -> FALSE (29) } # if (&User-Name) = notfound (29) } # policy filter_username = notfound (29) [preprocess] = ok (29) [chap] = noop (29) [mschap] = noop (29) [digest] = noop (29) suffix: Checking for suffix after "@" (29) suffix: No '@' in User-Name = "bar", looking up realm NULL (29) suffix: No such realm "NULL" (29) [suffix] = noop (29) eap: Peer sent EAP Response (code 2) ID 4 length 6 (29) eap: Continuing tunnel setup (29) [eap] = ok (29) } # authorize = ok (29) Found Auth-Type = eap (29) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (29) authenticate { (29) eap: Expiring EAP session with state 0xc733062dc3371fce (29) eap: Finished EAP session with state 0xc733062dc3371fce (29) eap: Previous EAP request found for state 0xc733062dc3371fce, released from the list (29) eap: Peer sent packet with method EAP PEAP (25) (29) eap: Calling submodule eap_peap to process data (29) eap_peap: Continuing EAP-TLS (29) eap_peap: Peer ACKed our handshake fragment (29) eap_peap: [eaptls verify] = request (29) eap_peap: [eaptls process] = handled (29) eap: Sending EAP Request (code 1) ID 5 length 1000 (29) eap: EAP session adding &reply:State = 0xc733062dc2361fce (29) [eap] = handled (29) } # authenticate = handled (29) Using Post-Auth-Type Challenge (29) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (29) Challenge { ... } # empty sub-section is ignored (29) Sent Access-Challenge Id 46 from 192.168.1.244:1812 to 192.168.1.50:58452 length 0 (29) EAP-Message = 0x010503e81940f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd0 (29) Message-Authenticator = 0x00000000000000000000000000000000 (29) State = 0xc733062dc2361fceda200d98107c2728 (29) Finished request Waking up in 4.8 seconds. (30) Received Access-Request Id 47 from 192.168.1.50:58452 to 192.168.1.244:1812 length 231 (30) User-Name = "bar" (30) NAS-IP-Address = 192.168.1.50 (30) NAS-Identifier = "f09fc2f50d43" (30) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany" (30) NAS-Port-Type = Wireless-802.11 (30) Service-Type = Framed-User (30) Calling-Station-Id = "2E-9A-17-FA-78-FA" (30) Connect-Info = "CONNECT 0Mbps 802.11b" (30) Acct-Session-Id = "2087B41CCAAC0F74" (30) Acct-Multi-Session-Id = "C546EF77BB09F037" (30) WLAN-Pairwise-Cipher = 1027076 (30) WLAN-Group-Cipher = 1027076 (30) WLAN-AKM-Suite = 1027073 (30) Framed-MTU = 1400 (30) EAP-Message = 0x020500061900 (30) State = 0xc733062dc2361fceda200d98107c2728 (30) Message-Authenticator = 0xdb1a11eda65bfd28f2bae8a4467c4bea (30) session-state: No cached attributes (30) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (30) authorize { (30) policy filter_username { (30) if (&User-Name) { (30) if (&User-Name) -> TRUE (30) if (&User-Name) { (30) if (&User-Name =~ / /) { (30) if (&User-Name =~ / /) -> FALSE (30) if (&User-Name =~ /@[^@]*@/ ) { (30) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (30) if (&User-Name =~ /\.\./ ) { (30) if (&User-Name =~ /\.\./ ) -> FALSE (30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (30) if (&User-Name =~ /\.$/) { (30) if (&User-Name =~ /\.$/) -> FALSE (30) if (&User-Name =~ /@\./) { (30) if (&User-Name =~ /@\./) -> FALSE (30) } # if (&User-Name) = notfound (30) } # policy filter_username = notfound (30) [preprocess] = ok (30) [chap] = noop (30) [mschap] = noop (30) [digest] = noop (30) suffix: Checking for suffix after "@" (30) suffix: No '@' in User-Name = "bar", looking up realm NULL (30) suffix: No such realm "NULL" (30) [suffix] = noop (30) eap: Peer sent EAP Response (code 2) ID 5 length 6 (30) eap: Continuing tunnel setup (30) [eap] = ok (30) } # authorize = ok (30) Found Auth-Type = eap (30) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (30) authenticate { (30) eap: Expiring EAP session with state 0xc733062dc2361fce (30) eap: Finished EAP session with state 0xc733062dc2361fce (30) eap: Previous EAP request found for state 0xc733062dc2361fce, released from the list (30) eap: Peer sent packet with method EAP PEAP (25) (30) eap: Calling submodule eap_peap to process data (30) eap_peap: Continuing EAP-TLS (30) eap_peap: Peer ACKed our handshake fragment (30) eap_peap: [eaptls verify] = request (30) eap_peap: [eaptls process] = handled (30) eap: Sending EAP Request (code 1) ID 6 length 478 (30) eap: EAP session adding &reply:State = 0xc733062dc1351fce (30) [eap] = handled (30) } # authenticate = handled (30) Using Post-Auth-Type Challenge (30) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (30) Challenge { ... } # empty sub-section is ignored (30) Sent Access-Challenge Id 47 from 192.168.1.244:1812 to 192.168.1.50:58452 length 0 (30) EAP-Message = 0x010601de1900676dc257c5463941cf8a5883586d99fe57e8360ef00e23aafd8897d0e35c0e9449b5b51735d22ebf4e85ef18e08592eb063b6c29230960dc45024c12183be9fb0ededc44f85898aeeabd4545a1885d66cafe10e96f82c811420dfbe9ece38600de9d10e338faa47db1d8e8498284069b2be86b4f010c38772ef9dde739160303014d0c0001490300174104182d51bb94eedf8e4d45ba672b11c1683550862e7b3cbcc4c060eeb4bb6a788ba97e3226321cf8ba7055f70228fd8fbd726b203aaecea3297f2f15e87c0e13190804010065efa44cf7b89671f95ce0791208321c652e630ca175e1c4c11946ffa99a7ecddf6f6e5bc8b7689bca97ea17a48c085474e867dc62b2102a477c4a022336e02e2e4e38d5542a7c69276d22fd961b4022e88c54c7fe6fad2d1176b734f007a2af32ae3fd62b53a6fcd2da0b78040ee68241e4435189e87093b227e4f4f9ebb3c1b3da591bd3c129f70dcd71fca22d92ceaa6318dfcf6397a92d127e2a999be84a9be8 (30) Message-Authenticator = 0x00000000000000000000000000000000 (30) State = 0xc733062dc1351fceda200d98107c2728 (30) Finished request Waking up in 4.8 seconds. (31) Received Access-Request Id 48 from 192.168.1.50:58452 to 192.168.1.244:1812 length 242 (31) User-Name = "bar" (31) NAS-IP-Address = 192.168.1.50 (31) NAS-Identifier = "f09fc2f50d43" (31) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany" (31) NAS-Port-Type = Wireless-802.11 (31) Service-Type = Framed-User (31) Calling-Station-Id = "2E-9A-17-FA-78-FA" (31) Connect-Info = "CONNECT 0Mbps 802.11b" (31) Acct-Session-Id = "2087B41CCAAC0F74" (31) Acct-Multi-Session-Id = "C546EF77BB09F037" (31) WLAN-Pairwise-Cipher = 1027076 (31) WLAN-Group-Cipher = 1027076 (31) WLAN-AKM-Suite = 1027073 (31) Framed-MTU = 1400 (31) EAP-Message = 0x020600111980000000071503030002022d (31) State = 0xc733062dc1351fceda200d98107c2728 (31) Message-Authenticator = 0x96fa48935246587652cd6219e8243639 (31) session-state: No cached attributes (31) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (31) authorize { (31) policy filter_username { (31) if (&User-Name) { (31) if (&User-Name) -> TRUE (31) if (&User-Name) { (31) if (&User-Name =~ / /) { (31) if (&User-Name =~ / /) -> FALSE (31) if (&User-Name =~ /@[^@]*@/ ) { (31) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (31) if (&User-Name =~ /\.\./ ) { (31) if (&User-Name =~ /\.\./ ) -> FALSE (31) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (31) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (31) if (&User-Name =~ /\.$/) { (31) if (&User-Name =~ /\.$/) -> FALSE (31) if (&User-Name =~ /@\./) { (31) if (&User-Name =~ /@\./) -> FALSE (31) } # if (&User-Name) = notfound (31) } # policy filter_username = notfound (31) [preprocess] = ok (31) [chap] = noop (31) [mschap] = noop (31) [digest] = noop (31) suffix: Checking for suffix after "@" (31) suffix: No '@' in User-Name = "bar", looking up realm NULL (31) suffix: No such realm "NULL" (31) [suffix] = noop (31) eap: Peer sent EAP Response (code 2) ID 6 length 17 (31) eap: Continuing tunnel setup (31) [eap] = ok (31) } # authorize = ok (31) Found Auth-Type = eap (31) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (31) authenticate { (31) eap: Expiring EAP session with state 0xc733062dc1351fce (31) eap: Finished EAP session with state 0xc733062dc1351fce (31) eap: Previous EAP request found for state 0xc733062dc1351fce, released from the list (31) eap: Peer sent packet with method EAP PEAP (25) (31) eap: Calling submodule eap_peap to process data (31) eap_peap: Continuing EAP-TLS (31) eap_peap: Peer indicated complete TLS record size will be 7 bytes (31) eap_peap: Got complete TLS record (7 bytes) (31) eap_peap: [eaptls verify] = length included (31) eap_peap: <<< recv TLS 1.2 [length 0002] (31) eap_peap: ERROR: TLS Alert read:fatal:certificate expired (31) eap_peap: TLS_accept: Need to read more data: error (31) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired (31) eap_peap: TLS - In Handshake Phase (31) eap_peap: TLS - Application data. (31) eap_peap: ERROR: TLS failed during operation (31) eap_peap: ERROR: [eaptls process] = fail (31) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (31) eap: Sending EAP Failure (code 4) ID 6 length 4 (31) eap: Failed in EAP select (31) [eap] = invalid (31) } # authenticate = invalid (31) Failed to authenticate the user (31) Using Post-Auth-Type Reject (31) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (31) Post-Auth-Type REJECT { (31) attr_filter.access_reject: EXPAND %{User-Name} (31) attr_filter.access_reject: --> bar (31) attr_filter.access_reject: Matched entry DEFAULT at line 11 (31) [attr_filter.access_reject] = updated (31) [eap] = noop (31) policy remove_reply_message_if_eap { (31) if (&reply:EAP-Message && &reply:Reply-Message) { (31) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (31) else { (31) [noop] = noop (31) } # else = noop (31) } # policy remove_reply_message_if_eap = noop (31) } # Post-Auth-Type REJECT = updated (31) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (31) Sending delayed response (31) Sent Access-Reject Id 48 from 192.168.1.244:1812 to 192.168.1.50:58452 length 44 (31) EAP-Message = 0x04060004 (31) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. (24) Cleaning up request packet ID 41 with timestamp +308 How can I correct this ? Best regards
On Jun 28, 2022, at 10:54 AM, Olivier <oza.4h07@gmail.com> wrote:
For some times now, Android 11 requires cert validation in WiFi connections (see [1]). At the same time, Android 11 also makes it much harder for end users to import self-signed root CA (see [2]). As I provide WiFi connectivity in BYOD environments and can't help end users when they import certs, I choosed to test PEAP/MSCHAPv2 with LetsEncrypt certs though I know this would be less secure than with self-signed root CA.
That's fine.
My lab setup includes: - a Freeradius 3.0.21 on Debian Bullseye
I would very much suggest using 3.2.0. It has better debugging for TLS. And packages are available on http://packages.networkradius.com
(26) eap_peap: <<< recv TLS 1.3 [length 007e]
i.e. from the client
(26) eap_peap: TLS_accept: SSLv3/TLS read client hello (26) eap_peap: >>> send TLS 1.2 [length 003d]
i.e. FreeRADIUS is sending this.
(31) eap_peap: <<< recv TLS 1.2 [length 0002] (31) eap_peap: ERROR: TLS Alert read:fatal:certificate expired
The client is sending this message to FreeRADIUS. i.e. the client doesn't like the certificate sent by FreeRADIUS. If the certificate isn't expired, then you need to fix the client. Either it's time is wrong, or something else is going on. Alan DeKok.
Thank you very much for replying ! By client, do you mean the WiFi access point or the Android device ? Le mar. 28 juin 2022 à 22:13, Alan DeKok <aland@deployingradius.com> a écrit :
On Jun 28, 2022, at 10:54 AM, Olivier <oza.4h07@gmail.com> wrote:
For some times now, Android 11 requires cert validation in WiFi connections (see [1]). At the same time, Android 11 also makes it much harder for end users to import self-signed root CA (see [2]). As I provide WiFi connectivity in BYOD environments and can't help end users when they import certs, I choosed to test PEAP/MSCHAPv2 with LetsEncrypt certs though I know this would be less secure than with self-signed root CA.
That's fine.
My lab setup includes: - a Freeradius 3.0.21 on Debian Bullseye
I would very much suggest using 3.2.0. It has better debugging for TLS. And packages are available on http://packages.networkradius.com
(26) eap_peap: <<< recv TLS 1.3 [length 007e]
i.e. from the client
(26) eap_peap: TLS_accept: SSLv3/TLS read client hello (26) eap_peap: >>> send TLS 1.2 [length 003d]
i.e. FreeRADIUS is sending this.
(31) eap_peap: <<< recv TLS 1.2 [length 0002] (31) eap_peap: ERROR: TLS Alert read:fatal:certificate expired
The client is sending this message to FreeRADIUS.
i.e. the client doesn't like the certificate sent by FreeRADIUS.
If the certificate isn't expired, then you need to fix the client. Either it's time is wrong, or something else is going on.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Le mer. 29 juin 2022 à 17:49, Alan DeKok <aland@deployingradius.com> a écrit :
On Jun 29, 2022, at 11:47 AM, Olivier <oza.4h07@gmail.com> wrote:
Thank you very much for replying !
By client, do you mean the WiFi access point or the Android device ?
The android device.
The WiFi AP doesn't do EAP.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
That is the reply I feared ;-) I used a Samsung Galaxy tablet which is very hard to describe from a software point of view between Android version (11), One UI Core (3.1), SE (enforced) and Knox (3.7) ... Maybe I should use a different device for my testings (a Google Pixel ?) and prepare a B Plan for "non-compliant-with-my-settings" devices. Life is hard !
Hi Oliver, I don't know if you have solved the problem, but the way to solve it is: when you generate the certificate with acme.sh add this parameter '--preferred-chain "ISRG Root X1"'. Greetings. -----Mensaje original----- De: Freeradius-Users <freeradius-users-bounces+julio.salas=emincar.com@lists.freeradius.org> En nombre de Olivier Enviado el: miércoles, 29 de junio de 2022 11:47 Para: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Asunto: Re: certificate expired with PEAP/MSCHAPv2/Android 11 in WiFi Thank you very much for replying ! By client, do you mean the WiFi access point or the Android device ? Le mar. 28 juin 2022 à 22:13, Alan DeKok <aland@deployingradius.com> a écrit :
On Jun 28, 2022, at 10:54 AM, Olivier <oza.4h07@gmail.com> wrote:
For some times now, Android 11 requires cert validation in WiFi connections (see [1]). At the same time, Android 11 also makes it much harder for end users to import self-signed root CA (see [2]). As I provide WiFi connectivity in BYOD environments and can't help end users when they import certs, I choosed to test PEAP/MSCHAPv2 with LetsEncrypt certs though I know this would be less secure than with self-signed root CA.
That's fine.
My lab setup includes: - a Freeradius 3.0.21 on Debian Bullseye
I would very much suggest using 3.2.0. It has better debugging for TLS. And packages are available on http://packages.networkradius.com
(26) eap_peap: <<< recv TLS 1.3 [length 007e]
i.e. from the client
(26) eap_peap: TLS_accept: SSLv3/TLS read client hello (26) eap_peap: >>> send TLS 1.2 [length 003d]
i.e. FreeRADIUS is sending this.
(31) eap_peap: <<< recv TLS 1.2 [length 0002] (31) eap_peap: ERROR: TLS Alert read:fatal:certificate expired
The client is sending this message to FreeRADIUS.
i.e. the client doesn't like the certificate sent by FreeRADIUS.
If the certificate isn't expired, then you need to fix the client. Either it's time is wrong, or something else is going on.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Julio Edel Salas Díaz -
Olivier