Android 2.3.5 supplicants failing after upgrade to FreeRADIUS 2.2.5 from 2.2.0

Mon Jun 2 12:41:43 CEST 2014

Hi,

About this issue, I remember we having problems in the past with some
Android and Linux devices where in the configuration you had to fill up the
anonymous login field, or else it would not authenticate if that field was
blank.

At that time, I instructed our helpdesk to fill it up with the login of the
user.

I just mention this, because could be due to some configuration in the
inner/outer tunnel, or a change of the default protocols.

For instance, I already helped in a case where the FreeRadius admin was
telling me he only used PEAP, but after an upgrade the Apple devices
starting using the default TTLS configuration.

Regards,
Rui Ribeiro

> Message: 7
> Date: Mon, 2 Jun 2014 10:47:48 +0100
> From: Robert Franklin <rcf34 at cam.ac.uk>
> To: Alan Buxey <A.L.M.Buxey at lboro.ac.uk>
> Cc: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Android 2.3.5 supplicants failing after upgrade to
>         FreeRADIUS      2.2.5   from 2.2.0
> Message-ID: <25867EE6-3519-4698-97B7-7B174A8AB152 at cam.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> On 31 May 2014, at 10:35, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
>
> > So not just FR update but also the OS updated too...so possible eg samba
> upgrade too
>
> I don't think anything majorly -- nothing like OpenSSL changing beyond
> some patches SuSE would have backported.  Our password backend is a
> PostgreSQL server with Cleartext-Password being store; there is no Samba
> involved.
>
>
> > If the RPM blatted your config like that then it may also have done
> something to your EAP config too - eg certificates (especially if the debug
> shows the clients failing at that point) . Did your windows client have
> correct/secure EAP settings or was it just 'user/password don't care about
> cert details' mode?
>
> I think the certs are all the same and being referenced the same -- we use
> a signed cert from the Janet Certificate Service and the chain all looks to
> be there (checking 'radiusd -X' output to see which files are read).
>
> My Windows 7 PC to test the same credentials is configured with the full
> 802.1X security setup - it only has the 'AddTrust External CA root' ticked,
> as well as the server name for the certificate as '
> network.tokens.csx.cam.ac.uk'.  If I change these settings on the PC to
> deliberately break them (such as ticket a different CA, or change the
> server name to 'network2.tokens.csx.cam.ac.uk') then the authentication
> fails (I do re-enter the credentials following this).  So I think
> everything is being checked correctly.
>
>
> Also, that all the users of other platforms (>13,000 last week) are
> getting on without issue makes me think there's something odd here, like a
> chain certificate issue.
>
> I'm trying to lay my hands on a 2.3.5 device I can muck about with but
> it's proving tricky.
>
>
> Is there anything that can be determined from the raddebug output I sent
> (in terms of which end is stopping the EAP dialogue) or do I need to get
> more or a different type of output?
>
>   - Bob
>
>
> --
> Bob Franklin   rcf34 at cam.ac.uk / +44 1223 748479
> Networks, University Information Services, University of Cambridge
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140602/ca5a4d1c/attachment.html>