EAP-PEAP Issue with new Android device
Hi, while trying to setup a new Android device an issue started to appear: Short Story: Authentication fails in the (i guess) P1 phase of EAP-PEAP with a message: certificate expired. Long Story: The radius server is using LetsEncrypt Server certs for ist TLS configuration. That setups works with every device i know of in this network. A new Android device however seems to behave weird with it. Logging Freeradius with the -X flag results with the log below. The device is set to not validate the server cert and use EAP-PEAP for P1 and MSCHAPv2 for P2. kp@<domain-stripped> is the anonymous identity. The last message seems rather short (TLS Length 7) which doesn't sound right. I know there is an issue with the domain detection because its only checking for ntdomain. Thats work for another day. Thank you in advance, Daniel Lux ``` (298) Received Access-Request Id 166 from 10.2.254.253:60831 to 10.0.0.248:1812 length 208 (298) User-Name = "kp@<domain-stripped>" (298) NAS-IP-Address = 10.2.254.253 (298) NAS-Port = 0 (298) NAS-Identifier = "10.2.254.253" (298) NAS-Port-Type = Wireless-802.11 (298) Calling-Station-Id = "843E1D87F5BF" (298) Called-Station-Id = "204C03033278" (298) Service-Type = Framed-User (298) Framed-MTU = 1100 (298) EAP-Message = 0x0201001b016b70407261747367796d6e617369756d2d70652e6465 (298) Aruba-Essid-Name = "RatseNetL" (298) Aruba-Location-Id = "AP18" (298) Aruba-AP-Group = "OS-Trakt" (298) Message-Authenticator = 0xd4fead8cee934d4d691b8e1218e4220d (298) # Executing section authorize from file /etc/freeradius/sites-enabled/default (298) authorize { (298) [preprocess] = ok (298) ntdomain: Checking for prefix before "\" (298) ntdomain: No '\' in User-Name = "kp@<domain-stripped>", looking up realm NULL (298) ntdomain: No such realm "NULL" (298) [ntdomain] = noop (298) update control { (298) &Proxy-To-Realm := LOCAL (298) } # update control = noop (298) [chap] = noop (298) [mschap] = noop (298) [digest] = noop (298) eap: Peer sent EAP Response (code 2) ID 1 length 27 (298) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (298) [eap] = ok (298) } # authorize = ok (298) Found Auth-Type = eap (298) # Executing group from file /etc/freeradius/sites-enabled/default (298) authenticate { (298) eap: Peer sent packet with method EAP Identity (1) (298) eap: Calling submodule eap_peap to process data (298) eap_peap: Initiating new EAP-TLS session (298) eap_peap: [eaptls start] = request (298) eap: Sending EAP Request (code 1) ID 2 length 6 (298) eap: EAP session adding &reply:State = 0xe37f3d5de37d24b2 (298) [eap] = handled (298) } # authenticate = handled (298) Using Post-Auth-Type Challenge (298) Post-Auth-Type sub-section not found. Ignoring. (298) # Executing group from file /etc/freeradius/sites-enabled/default (298) Sent Access-Challenge Id 166 from 10.0.0.248:1812 to 10.2.254.253:60831 length 0 (298) EAP-Message = 0x010200061920 (298) Message-Authenticator = 0x00000000000000000000000000000000 (298) State = 0xe37f3d5de37d24b242773e627ff3f802 (298) Finished request (299) Received Access-Request Id 47 from 10.2.254.253:60831 to 10.0.0.248:1812 length 340 (299) User-Name = "kp@<domain-stripped>" (299) NAS-IP-Address = 10.2.254.253 (299) NAS-Port = 0 (299) NAS-Identifier = "10.2.254.253" (299) NAS-Port-Type = Wireless-802.11 (299) Calling-Station-Id = "843E1D87F5BF" (299) Called-Station-Id = "204C03033278" (299) Service-Type = Framed-User (299) Framed-MTU = 1100 (299) EAP-Message = 0x0202008d198000000083160301007e0100007a03039cd3aa393b421414e62481d34c86e861 c1dd382868b4f29944d0c04c62ae43ec00001ec02bc02fc02cc030cca9cca8c009c013c00ac0 14009c009d002f0035000a0100003300170000ff01000100000a00080006001d00170018000b 00020100000d (299) State = 0xe37f3d5de37d24b242773e627ff3f802 (299) Aruba-Essid-Name = "RatseNetL" (299) Aruba-Location-Id = "AP18" (299) Aruba-AP-Group = "OS-Trakt" (299) Message-Authenticator = 0x6761200777d3cba4c291bc097f235982 (299) session-state: No cached attributes (299) # Executing section authorize from file /etc/freeradius/sites-enabled/default (299) authorize { (299) [preprocess] = ok (299) ntdomain: Checking for prefix before "\" (299) ntdomain: No '\' in User-Name = "kp@<domain-stripped>", looking up realm NULL (299) ntdomain: No such realm "NULL" (299) [ntdomain] = noop (299) update control { (299) &Proxy-To-Realm := LOCAL (299) } # update control = noop (299) [chap] = noop (299) [mschap] = noop (299) [digest] = noop (299) eap: Peer sent EAP Response (code 2) ID 2 length 141 (299) eap: Continuing tunnel setup (299) [eap] = ok (299) } # authorize = ok (299) Found Auth-Type = eap (299) # Executing group from file /etc/freeradius/sites-enabled/default (299) authenticate { (299) eap: Expiring EAP session with state 0x2b35f9422b37e0b9 (299) eap: Finished EAP session with state 0xe37f3d5de37d24b2 (299) eap: Previous EAP request found for state 0xe37f3d5de37d24b2, released from the list (299) eap: Peer sent packet with method EAP PEAP (25) (299) eap: Calling submodule eap_peap to process data (299) eap_peap: Continuing EAP-TLS (299) eap_peap: Peer indicated complete TLS record size will be 131 bytes (299) eap_peap: Got complete TLS record (131 bytes) (299) eap_peap: [eaptls verify] = length included (299) eap_peap: (other): before/accept initialization (299) eap_peap: TLS_accept: before/accept initialization (299) eap_peap: <<< recv TLS 1.2 [length 007e] (299) eap_peap: TLS_accept: unknown state (299) eap_peap: >>> send TLS 1.2 [length 0039] (299) eap_peap: TLS_accept: unknown state (299) eap_peap: >>> send TLS 1.2 [length 149f] (299) eap_peap: TLS_accept: unknown state (299) eap_peap: >>> send TLS 1.2 [length 014d] (299) eap_peap: TLS_accept: unknown state (299) eap_peap: >>> send TLS 1.2 [length 0004] (299) eap_peap: TLS_accept: unknown state (299) eap_peap: TLS_accept: unknown state (299) eap_peap: TLS_accept: unknown state (299) eap_peap: TLS_accept: Need to read more data: unknown state (299) eap_peap: TLS_accept: Need to read more data: unknown state (299) eap_peap: In SSL Handshake Phase (299) eap_peap: In SSL Accept mode (299) eap_peap: [eaptls process] = handled (299) eap: Sending EAP Request (code 1) ID 3 length 1004 (299) eap: EAP session adding &reply:State = 0xe37f3d5de27c24b2 (299) [eap] = handled (299) } # authenticate = handled (299) Using Post-Auth-Type Challenge (299) Post-Auth-Type sub-section not found. Ignoring. (299) # Executing group from file /etc/freeradius/sites-enabled/default (299) Sent Access-Challenge Id 47 from 10.0.0.248:1812 to 10.2.254.253:60831 length 0 (299) EAP-Message = 0x010303ec19c00000163d16030300390200003503032221981d91de057e15a5d627e7d85254 fb02778827cee35a6895f65d00e6180c00c02f00000dff01000100000b000403000102160303 149f0b00149b001498000a1130820a0d308208f5a00302010202120314c38ef6206d2a5d13b5 c8cb45752f9f (299) Message-Authenticator = 0x00000000000000000000000000000000 (299) State = 0xe37f3d5de27c24b242773e627ff3f802 (299) Finished request (240) Cleaning up request packet ID 111 with timestamp +10 (241) Cleaning up request packet ID 60 with timestamp +10 (300) Received Access-Request Id 62 from 10.2.254.253:60831 to 10.0.0.248:1812 length 205 (300) User-Name = "kp@<domain-stripped>" (300) NAS-IP-Address = 10.2.254.253 (300) NAS-Port = 0 (300) NAS-Identifier = "10.2.254.253" (300) NAS-Port-Type = Wireless-802.11 (300) Calling-Station-Id = "843E1D87F5BF" (300) Called-Station-Id = "204C03033278" (300) Service-Type = Framed-User (300) Framed-MTU = 1100 (300) EAP-Message = 0x020300061900 (300) State = 0xe37f3d5de27c24b242773e627ff3f802 (300) Aruba-Essid-Name = "RatseNetL" (300) Aruba-Location-Id = "AP18" (300) Aruba-AP-Group = "OS-Trakt" (300) Message-Authenticator = 0x808be1cbe0d6892e798f1d3413c760b5 (300) session-state: No cached attributes (300) # Executing section authorize from file /etc/freeradius/sites-enabled/default (300) authorize { (300) [preprocess] = ok (300) ntdomain: Checking for prefix before "\" (300) ntdomain: No '\' in User-Name = "kp@<domain-stripped>", looking up realm NULL (300) ntdomain: No such realm "NULL" (300) [ntdomain] = noop (300) update control { (300) &Proxy-To-Realm := LOCAL (300) } # update control = noop (300) [chap] = noop (300) [mschap] = noop (300) [digest] = noop (300) eap: Peer sent EAP Response (code 2) ID 3 length 6 (300) eap: Continuing tunnel setup (300) [eap] = ok (300) } # authorize = ok (300) Found Auth-Type = eap (300) # Executing group from file /etc/freeradius/sites-enabled/default (300) authenticate { (300) eap: Expiring EAP session with state 0x2b35f9422b37e0b9 (300) eap: Finished EAP session with state 0xe37f3d5de27c24b2 (300) eap: Previous EAP request found for state 0xe37f3d5de27c24b2, released from the list (300) eap: Peer sent packet with method EAP PEAP (25) (300) eap: Calling submodule eap_peap to process data (300) eap_peap: Continuing EAP-TLS (300) eap_peap: Peer ACKed our handshake fragment (300) eap_peap: [eaptls verify] = request (300) eap_peap: [eaptls process] = handled (300) eap: Sending EAP Request (code 1) ID 4 length 1000 (300) eap: EAP session adding &reply:State = 0xe37f3d5de17b24b2 (300) [eap] = handled (300) } # authenticate = handled (300) Using Post-Auth-Type Challenge (300) Post-Auth-Type sub-section not found. Ignoring. (300) # Executing group from file /etc/freeradius/sites-enabled/default (300) Sent Access-Challenge Id 62 from 10.0.0.248:1812 to 10.2.254.253:60831 length 0 (300) EAP-Message = 0x010403e8194069756d2d70652e6465821b686170726f78792e7261747367796d6e61736975 6d2d70652e64658218686f6d652e7261747367796d6e617369756d2d70652e64658218696d61 702e7261747367796d6e617369756d2d70652e6465821d696e666f62726574742e7261747367 796d6e617369 (300) Message-Authenticator = 0x00000000000000000000000000000000 (300) State = 0xe37f3d5de17b24b242773e627ff3f802 (300) Finished request (242) Cleaning up request packet ID 16 with timestamp +10 (301) Received Access-Request Id 64 from 10.2.254.253:60831 to 10.0.0.248:1812 length 205 (301) User-Name = "kp@<domain-stripped>" (301) NAS-IP-Address = 10.2.254.253 (301) NAS-Port = 0 (301) NAS-Identifier = "10.2.254.253" (301) NAS-Port-Type = Wireless-802.11 (301) Calling-Station-Id = "843E1D87F5BF" (301) Called-Station-Id = "204C03033278" (301) Service-Type = Framed-User (301) Framed-MTU = 1100 (301) EAP-Message = 0x020400061900 (301) State = 0xe37f3d5de17b24b242773e627ff3f802 (301) Aruba-Essid-Name = "RatseNetL" (301) Aruba-Location-Id = "AP18" (301) Aruba-AP-Group = "OS-Trakt" (301) Message-Authenticator = 0x87340687e4ff778e7567a60a6fad3440 (301) session-state: No cached attributes (301) # Executing section authorize from file /etc/freeradius/sites-enabled/default (301) authorize { (301) [preprocess] = ok (301) ntdomain: Checking for prefix before "\" (301) ntdomain: No '\' in User-Name = "kp@<domain-stripped>", looking up realm NULL (301) ntdomain: No such realm "NULL" (301) [ntdomain] = noop (301) update control { (301) &Proxy-To-Realm := LOCAL (301) } # update control = noop (301) [chap] = noop (301) [mschap] = noop (301) [digest] = noop (301) eap: Peer sent EAP Response (code 2) ID 4 length 6 (301) eap: Continuing tunnel setup (301) [eap] = ok (301) } # authorize = ok (301) Found Auth-Type = eap (301) # Executing group from file /etc/freeradius/sites-enabled/default (301) authenticate { (301) eap: Expiring EAP session with state 0x2b35f9422b37e0b9 (301) eap: Finished EAP session with state 0xe37f3d5de17b24b2 (301) eap: Previous EAP request found for state 0xe37f3d5de17b24b2, released from the list (301) eap: Peer sent packet with method EAP PEAP (25) (301) eap: Calling submodule eap_peap to process data (301) eap_peap: Continuing EAP-TLS (301) eap_peap: Peer ACKed our handshake fragment (301) eap_peap: [eaptls verify] = request (301) eap_peap: [eaptls process] = handled (301) eap: Sending EAP Request (code 1) ID 5 length 1000 (301) eap: EAP session adding &reply:State = 0xe37f3d5de07a24b2 (301) [eap] = handled (301) } # authenticate = handled (301) Using Post-Auth-Type Challenge (301) Post-Auth-Type sub-section not found. Ignoring. (301) # Executing group from file /etc/freeradius/sites-enabled/default (301) Sent Access-Challenge Id 64 from 10.0.0.248:1812 to 10.2.254.253:60831 length 0 (301) EAP-Message = 0x010503e81940796d6e617369756d2d70652e64658223776c616e2d636f6e74726f6c6c6572 2e7261747367796d6e617369756d2d70652e646582177777772e7261747367796d6e61736975 6d2d70652e6465821a7a61626269782e7261747367796d6e617369756d2d70652e6465301306 03551d20040c (301) Message-Authenticator = 0x00000000000000000000000000000000 (301) State = 0xe37f3d5de07a24b242773e627ff3f802 (301) Finished request (302) Received Access-Request Id 52 from 10.2.254.253:60831 to 10.0.0.248:1812 length 205 (302) User-Name = "kp@<domain-stripped>" (302) NAS-IP-Address = 10.2.254.253 (302) NAS-Port = 0 (302) NAS-Identifier = "10.2.254.253" (302) NAS-Port-Type = Wireless-802.11 (302) Calling-Station-Id = "843E1D87F5BF" (302) Called-Station-Id = "204C03033278" (302) Service-Type = Framed-User (302) Framed-MTU = 1100 (302) EAP-Message = 0x020500061900 (302) State = 0xe37f3d5de07a24b242773e627ff3f802 (302) Aruba-Essid-Name = "RatseNetL" (302) Aruba-Location-Id = "AP18" (302) Aruba-AP-Group = "OS-Trakt" (302) Message-Authenticator = 0xa55c00579b9ed3c4554238f83309a7be (302) session-state: No cached attributes (302) # Executing section authorize from file /etc/freeradius/sites-enabled/default (302) authorize { (302) [preprocess] = ok (302) ntdomain: Checking for prefix before "\" (302) ntdomain: No '\' in User-Name = "kp@<domain-stripped>", looking up realm NULL (302) ntdomain: No such realm "NULL" (302) [ntdomain] = noop (302) update control { (302) &Proxy-To-Realm := LOCAL (302) } # update control = noop (302) [chap] = noop (302) [mschap] = noop (302) [digest] = noop (302) eap: Peer sent EAP Response (code 2) ID 5 length 6 (302) eap: Continuing tunnel setup (302) [eap] = ok (302) } # authorize = ok (302) Found Auth-Type = eap (302) # Executing group from file /etc/freeradius/sites-enabled/default (302) authenticate { (302) eap: Expiring EAP session with state 0x2b35f9422b37e0b9 (302) eap: Finished EAP session with state 0xe37f3d5de07a24b2 (302) eap: Previous EAP request found for state 0xe37f3d5de07a24b2, released from the list (302) eap: Peer sent packet with method EAP PEAP (25) (302) eap: Calling submodule eap_peap to process data (302) eap_peap: Continuing EAP-TLS (302) eap_peap: Peer ACKed our handshake fragment (302) eap_peap: [eaptls verify] = request (302) eap_peap: [eaptls process] = handled (302) eap: Sending EAP Request (code 1) ID 6 length 1000 (302) eap: EAP session adding &reply:State = 0xe37f3d5de77924b2 (302) [eap] = handled (302) } # authenticate = handled (302) Using Post-Auth-Type Challenge (302) Post-Auth-Type sub-section not found. Ignoring. (302) # Executing group from file /etc/freeradius/sites-enabled/default (302) Sent Access-Challenge Id 52 from 10.0.0.248:1812 to 10.2.254.253:60831 length 0 (302) EAP-Message = 0x010603e819400b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34 c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f8 30175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60 677566b3f118 (302) Message-Authenticator = 0x00000000000000000000000000000000 (302) State = 0xe37f3d5de77924b242773e627ff3f802 (302) Finished request (243) Cleaning up request packet ID 156 with timestamp +10 Waking up in 0.9 seconds. (303) Received Access-Request Id 130 from 10.2.254.253:60831 to 10.0.0.248:1812 length 205 (303) User-Name = "kp@<domain-stripped>" (303) NAS-IP-Address = 10.2.254.253 (303) NAS-Port = 0 (303) NAS-Identifier = "10.2.254.253" (303) NAS-Port-Type = Wireless-802.11 (303) Calling-Station-Id = "843E1D87F5BF" (303) Called-Station-Id = "204C03033278" (303) Service-Type = Framed-User (303) Framed-MTU = 1100 (303) EAP-Message = 0x020600061900 (303) State = 0xe37f3d5de77924b242773e627ff3f802 (303) Aruba-Essid-Name = "RatseNetL" (303) Aruba-Location-Id = "AP18" (303) Aruba-AP-Group = "OS-Trakt" (303) Message-Authenticator = 0x718692290105f2acae5e8598d3db3aad (303) session-state: No cached attributes (303) # Executing section authorize from file /etc/freeradius/sites-enabled/default (303) authorize { (303) [preprocess] = ok (303) ntdomain: Checking for prefix before "\" (303) ntdomain: No '\' in User-Name = "kp@<domain-stripped>", looking up realm NULL (303) ntdomain: No such realm "NULL" (303) [ntdomain] = noop (303) update control { (303) &Proxy-To-Realm := LOCAL (303) } # update control = noop (303) [chap] = noop (303) [mschap] = noop (303) [digest] = noop (303) eap: Peer sent EAP Response (code 2) ID 6 length 6 (303) eap: Continuing tunnel setup (303) [eap] = ok (303) } # authorize = ok (303) Found Auth-Type = eap (303) # Executing group from file /etc/freeradius/sites-enabled/default (303) authenticate { (303) eap: Expiring EAP session with state 0x2b35f9422b37e0b9 (303) eap: Finished EAP session with state 0xe37f3d5de77924b2 (303) eap: Previous EAP request found for state 0xe37f3d5de77924b2, released from the list (303) eap: Peer sent packet with method EAP PEAP (25) (303) eap: Calling submodule eap_peap to process data (303) eap_peap: Continuing EAP-TLS (303) eap_peap: Peer ACKed our handshake fragment (303) eap_peap: [eaptls verify] = request (303) eap_peap: [eaptls process] = handled (303) eap: Sending EAP Request (code 1) ID 7 length 1000 (303) eap: EAP session adding &reply:State = 0xe37f3d5de67824b2 (303) [eap] = handled (303) } # authenticate = handled (303) Using Post-Auth-Type Challenge (303) Post-Auth-Type sub-section not found. Ignoring. (303) # Executing group from file /etc/freeradius/sites-enabled/default (303) Sent Access-Challenge Id 130 from 10.0.0.248:1812 to 10.2.254.253:60831 length 0 (303) EAP-Message = 0x010703e8194002010202104001772137d4e942b8ee76aa3c640ab7300d06092a864886f70d 01010b0500303f31243022060355040a131b4469676974616c205369676e6174757265205472 75737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3231 303132303139 (303) Message-Authenticator = 0x00000000000000000000000000000000 (303) State = 0xe37f3d5de67824b242773e627ff3f802 (303) Finished request Waking up in 0.8 seconds. (304) Received Access-Request Id 7 from 10.2.254.253:60831 to 10.0.0.248:1812 length 205 (304) User-Name = "kp@<domain-stripped>" (304) NAS-IP-Address = 10.2.254.253 (304) NAS-Port = 0 (304) NAS-Identifier = "10.2.254.253" (304) NAS-Port-Type = Wireless-802.11 (304) Calling-Station-Id = "843E1D87F5BF" (304) Called-Station-Id = "204C03033278" (304) Service-Type = Framed-User (304) Framed-MTU = 1100 (304) EAP-Message = 0x020700061900 (304) State = 0xe37f3d5de67824b242773e627ff3f802 (304) Aruba-Essid-Name = "RatseNetL" (304) Aruba-Location-Id = "AP18" (304) Aruba-AP-Group = "OS-Trakt" (304) Message-Authenticator = 0x2c0fc1bf87744bffe4e874075c9484f0 (304) session-state: No cached attributes (304) # Executing section authorize from file /etc/freeradius/sites-enabled/default (304) authorize { (304) [preprocess] = ok (304) ntdomain: Checking for prefix before "\" (304) ntdomain: No '\' in User-Name = "kp@<domain-stripped>", looking up realm NULL (304) ntdomain: No such realm "NULL" (304) [ntdomain] = noop (304) update control { (304) &Proxy-To-Realm := LOCAL (304) } # update control = noop (304) [chap] = noop (304) [mschap] = noop (304) [digest] = noop (304) eap: Peer sent EAP Response (code 2) ID 7 length 6 (304) eap: Continuing tunnel setup (304) [eap] = ok (304) } # authorize = ok (304) Found Auth-Type = eap (304) # Executing group from file /etc/freeradius/sites-enabled/default (304) authenticate { (304) eap: Expiring EAP session with state 0x2b35f9422b37e0b9 (304) eap: Finished EAP session with state 0xe37f3d5de67824b2 (304) eap: Previous EAP request found for state 0xe37f3d5de67824b2, released from the list (304) eap: Peer sent packet with method EAP PEAP (25) (304) eap: Calling submodule eap_peap to process data (304) eap_peap: Continuing EAP-TLS (304) eap_peap: Peer ACKed our handshake fragment (304) eap_peap: [eaptls verify] = request (304) eap_peap: [eaptls process] = handled (304) eap: Sending EAP Request (code 1) ID 8 length 729 (304) eap: EAP session adding &reply:State = 0xe37f3d5de57724b2 (304) [eap] = handled (304) } # authenticate = handled (304) Using Post-Auth-Type Challenge (304) Post-Auth-Type sub-section not found. Ignoring. (304) # Executing group from file /etc/freeradius/sites-enabled/default (304) Sent Access-Challenge Id 7 from 10.0.0.248:1812 to 10.2.254.253:60831 length 0 (304) EAP-Message = 0x010802d919007970742e6f7267303c0603551d1f043530333031a02fa02d862b687474703a 2f2f63726c2e6964656e74727573742e636f6d2f445354524f4f544341583343524c2e63726c 301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a8648 86f70d01010b (304) Message-Authenticator = 0x00000000000000000000000000000000 (304) State = 0xe37f3d5de57724b242773e627ff3f802 (304) Finished request Waking up in 0.8 seconds. (305) Received Access-Request Id 157 from 10.2.254.253:60831 to 10.0.0.248:1812 length 216 (305) User-Name = "kp@<domain-stripped>" (305) NAS-IP-Address = 10.2.254.253 (305) NAS-Port = 0 (305) NAS-Identifier = "10.2.254.253" (305) NAS-Port-Type = Wireless-802.11 (305) Calling-Station-Id = "843E1D87F5BF" (305) Called-Station-Id = "204C03033278" (305) Service-Type = Framed-User (305) Framed-MTU = 1100 (305) EAP-Message = 0x020800111980000000071503030002022d (305) State = 0xe37f3d5de57724b242773e627ff3f802 (305) Aruba-Essid-Name = "RatseNetL" (305) Aruba-Location-Id = "AP18" (305) Aruba-AP-Group = "OS-Trakt" (305) Message-Authenticator = 0x2db17bbdf81f36dcb1577a0066f224d2 (305) session-state: No cached attributes (305) # Executing section authorize from file /etc/freeradius/sites-enabled/default (305) authorize { (305) [preprocess] = ok (305) ntdomain: Checking for prefix before "\" (305) ntdomain: No '\' in User-Name = "kp@<domain-stripped>", looking up realm NULL (305) ntdomain: No such realm "NULL" (305) [ntdomain] = noop (305) update control { (305) &Proxy-To-Realm := LOCAL (305) } # update control = noop (305) [chap] = noop (305) [mschap] = noop (305) [digest] = noop (305) eap: Peer sent EAP Response (code 2) ID 8 length 17 (305) eap: Continuing tunnel setup (305) [eap] = ok (305) } # authorize = ok (305) Found Auth-Type = eap (305) # Executing group from file /etc/freeradius/sites-enabled/default (305) authenticate { (305) eap: Expiring EAP session with state 0x2b35f9422b37e0b9 (305) eap: Finished EAP session with state 0xe37f3d5de57724b2 (305) eap: Previous EAP request found for state 0xe37f3d5de57724b2, released from the list (305) eap: Peer sent packet with method EAP PEAP (25) (305) eap: Calling submodule eap_peap to process data (305) eap_peap: Continuing EAP-TLS (305) eap_peap: Peer indicated complete TLS record size will be 7 bytes (305) eap_peap: Got complete TLS record (7 bytes) (305) eap_peap: [eaptls verify] = length included (305) eap_peap: <<< recv TLS 1.2 [length 0002] (305) eap_peap: ERROR: TLS Alert read:fatal:certificate expired (305) eap_peap: ERROR: TLS_accept: Failed in error (305) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read) (305) eap_peap: ERROR: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired (305) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure (305) eap_peap: ERROR: System call (I/O) error (-1) (305) eap_peap: ERROR: TLS receive handshake failed during operation (305) eap_peap: ERROR: [eaptls process] = fail (305) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (305) eap: Sending EAP Failure (code 4) ID 8 length 4 (305) eap: Failed in EAP select (305) [eap] = invalid (305) } # authenticate = invalid (305) Failed to authenticate the user (305) Using Post-Auth-Type Reject (305) Post-Auth-Type sub-section not found. Ignoring. (305) # Executing group from file /etc/freeradius/sites-enabled/default (305) Login incorrect (eap_peap: TLS Alert read:fatal:certificate expired): [kp@<domain-stripped>/<via Auth-Type = eap>] (from client wlan_controller port 0 cli 843E1D87F5BF) (305) Delaying response for 1.000000 seconds ```
On Sep 19, 2023, at 7:32 AM, dlux@lux-it-systeme.de wrote:
while trying to setup a new Android device an issue started to appear: Short Story: Authentication fails in the (i guess) P1 phase of EAP-PEAP with a message: certificate expired.
Which means that the certificate expired. No amount of poking things will un-expire the certificate. The cause is: a) wrong time on the supplicant (likely not) b) the certificate has actually expired. c) the supplicant is broken somehow Which certificate has expired? Maybe the server cert, or the CA cert which is on the android device.
Long Story: The radius server is using LetsEncrypt Server certs for ist TLS configuration. That setups works with every device i know of in this network. A new Android device however seems to behave weird with it. Logging Freeradius with the -X flag results with the log below. The device is set to not validate the server cert
Well, it is validating the server cert, isn't it?
and use EAP-PEAP for P1 and MSCHAPv2 for P2. kp@<domain-stripped> is the anonymous identity.
The last message seems rather short (TLS Length 7) which doesn't sound right.
It's an alert from the supplicant to the server. It's nothing more than an error message explaining why the supplicant is refusing to continue the TLS conversation.
I know there is an issue with the domain detection because its only checking for ntdomain. Thats work for another day.
This issue has nothing to do with domains. Either the supplicant is broken, or some certificate needed by the supplicant has expired. Check the server certificate. If it's fine, then check the CA certificate. If it's fine, check that the correct CA certificate is on the supplicant. After that, throw the supplicant in the garbage and get one that works. It's very difficult to debug issues with closed devices. Or maybe there's an android page somewhere which explains how to debug these issues on android. It's certainly not a FreeRADIUS problem. Alan DeKok.
participants (2)
-
Alan DeKok -
dlux@lux-it-systeme.de