Android 2.3.5 supplicants failing after upgrade to FreeRADIUS 2.2.5 from 2.2.0

Robert Franklin rcf34 at
Mon Jun 2 11:47:48 CEST 2014

On 31 May 2014, at 10:35, Alan Buxey <A.L.M.Buxey at> wrote:

> So not just FR update but also the OS updated possible eg samba upgrade too

I don't think anything majorly -- nothing like OpenSSL changing beyond some patches SuSE would have backported.  Our password backend is a PostgreSQL server with Cleartext-Password being store; there is no Samba involved.

> If the RPM blatted your config like that then it may also have done something to your EAP config too - eg certificates (especially if the debug shows the clients failing at that point) . Did your windows client have correct/secure EAP settings or was it just 'user/password don't care about cert details' mode?

I think the certs are all the same and being referenced the same -- we use a signed cert from the Janet Certificate Service and the chain all looks to be there (checking 'radiusd -X' output to see which files are read).

My Windows 7 PC to test the same credentials is configured with the full 802.1X security setup - it only has the 'AddTrust External CA root' ticked, as well as the server name for the certificate as ''.  If I change these settings on the PC to deliberately break them (such as ticket a different CA, or change the server name to '') then the authentication fails (I do re-enter the credentials following this).  So I think everything is being checked correctly.

Also, that all the users of other platforms (>13,000 last week) are getting on without issue makes me think there's something odd here, like a chain certificate issue.

I'm trying to lay my hands on a 2.3.5 device I can muck about with but it's proving tricky.

Is there anything that can be determined from the raddebug output I sent (in terms of which end is stopping the EAP dialogue) or do I need to get more or a different type of output?

  - Bob

Bob Franklin   rcf34 at / +44 1223 748479
Networks, University Information Services, University of Cambridge

More information about the Freeradius-Users mailing list