Android 2.3.5 supplicants failing after upgrade to FreeRADIUS 2.2.5 from 2.2.0
Robert Franklin
rcf34 at cam.ac.uk
Mon Jun 2 21:30:56 CEST 2014
On 2 Jun 2014, at 13:56, Robert Franklin <rcf34 at cam.ac.uk> wrote:
> The EAP tunnel doesn't get established as things stop before then, so we haven't even checked the inner username yet.
I've done some further testing with eapol_test compiled under Linux. I can't get this to authenticate at all, so I either have it misconfigured or the server problem extends to this.
I've attached the output from eapol_test to see if someone can make sense of it. I can see the certificate chain and CA being reported as being sent by the server, but there is also this part (full stuff in the attached file):
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=10 depth=0 subject='/C=GB/ST=England/L=Cambridge/O=University of Cambridge/OU=Computing Service/CN=network.tokens.csx.cam.ac.uk' err='Server used client certificate'
EAP: Status notification: remote certificate verification (param=Server used client certificate)
SSL: (where=0x4008 ret=0x22e)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:certificate unknown
EAP: Status notification: local TLS alert (param=certificate unknown)
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server certificate B
OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I'm not sure if this is the problem, but then I don't know if this error is correct or not. I have this in the configuration file (as the only network - there is lots of other stuff at the top:
network={
ssid="eduroam"
key_mgmt=WPA-EAP
eap=PEAP
identity="300-145-354 at wireless.cam.ac.uk"
anonymous_identity="@cam.ac.uk"
password="a4bumip3"
ca_cert="/usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt"
phase1="peaplabel=1"
phase2="autheap=MSCHAPV2"
}
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: eapol_test_output.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140602/73cc4379/attachment-0001.txt>
-------------- next part --------------
If there's some extra test I should be trying or a misconfiguration in the test, please let me know.
I do now have a blank Android 2.3.5 phone (an HTC Wildfire S - stop dribbling at the back there!) and it is failing in the same way as the other users.
- Bob
--
Bob Franklin rcf34 at cam.ac.uk / +44 1223 748479
Networks, University Information Services, University of Cambridge
More information about the Freeradius-Users
mailing list