Android 2.3.5 supplicants failing after upgrade to FreeRADIUS 2.2.5 from 2.2.0

Stefan Paetow Stefan.Paetow at
Mon Jun 2 12:56:34 CEST 2014

anonymous at your_realm would be more appropriate ☺


From: at [ at] On Behalf Of Rui Ribeiro
Sent: 02 June 2014 11:42
To: FreeRadius users mailing list
Subject: Re: Android 2.3.5 supplicants failing after upgrade to FreeRADIUS 2.2.5 from 2.2.0


About this issue, I remember we having problems in the past with some Android and Linux devices where in the configuration you had to fill up the anonymous login field, or else it would not authenticate if that field was blank.

At that time, I instructed our helpdesk to fill it up with the login of the user.

I just mention this, because could be due to some configuration in the inner/outer tunnel, or a change of the default protocols.

For instance, I already helped in a case where the FreeRadius admin was telling me he only used PEAP, but after an upgrade the Apple devices starting using the default TTLS configuration.

Rui Ribeiro

Message: 7
Date: Mon, 2 Jun 2014 10:47:48 +0100
From: Robert Franklin <rcf34 at<mailto:rcf34 at>>
To: Alan Buxey <A.L.M.Buxey at<mailto:A.L.M.Buxey at>>
Cc: FreeRadius users mailing list
        <freeradius-users at<mailto:freeradius-users at>>
Subject: Re: Android 2.3.5 supplicants failing after upgrade to
        FreeRADIUS      2.2.5   from 2.2.0
Message-ID: <25867EE6-3519-4698-97B7-7B174A8AB152 at<mailto:25867EE6-3519-4698-97B7-7B174A8AB152 at>>
Content-Type: text/plain; charset=us-ascii

On 31 May 2014, at 10:35, Alan Buxey <A.L.M.Buxey at<mailto:A.L.M.Buxey at>> wrote:

> So not just FR update but also the OS updated possible eg samba upgrade too

I don't think anything majorly -- nothing like OpenSSL changing beyond some patches SuSE would have backported.  Our password backend is a PostgreSQL server with Cleartext-Password being store; there is no Samba involved.

> If the RPM blatted your config like that then it may also have done something to your EAP config too - eg certificates (especially if the debug shows the clients failing at that point) . Did your windows client have correct/secure EAP settings or was it just 'user/password don't care about cert details' mode?

I think the certs are all the same and being referenced the same -- we use a signed cert from the Janet Certificate Service and the chain all looks to be there (checking 'radiusd -X' output to see which files are read).

My Windows 7 PC to test the same credentials is configured with the full 802.1X security setup - it only has the 'AddTrust External CA root' ticked, as well as the server name for the certificate as '<>'.  If I change these settings on the PC to deliberately break them (such as ticket a different CA, or change the server name to '<>') then the authentication fails (I do re-enter the credentials following this).  So I think everything is being checked correctly.

Also, that all the users of other platforms (>13,000 last week) are getting on without issue makes me think there's something odd here, like a chain certificate issue.

I'm trying to lay my hands on a 2.3.5 device I can muck about with but it's proving tricky.

Is there anything that can be determined from the raddebug output I sent (in terms of which end is stopping the EAP dialogue) or do I need to get more or a different type of output?

  - Bob

Bob Franklin   rcf34 at<mailto:rcf34 at> / +44 1223 748479
Networks, University Information Services, University of Cambridge

Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list