certificate expired with PEAP/MSCHAPv2/Android 11 in WiFi

Julio Edel Salas Díaz julio.salas at emincar.com
Tue Dec 20 18:44:07 UTC 2022 

Hi Oliver, I don't know if you have solved the problem, but the way to solve it is: when you generate the certificate with acme.sh add this parameter '--preferred-chain "ISRG Root X1"'.
Greetings.
-----Mensaje original-----
De: Freeradius-Users <freeradius-users-bounces+julio.salas=emincar.com at lists.freeradius.org> En nombre de Olivier
Enviado el: miércoles, 29 de junio de 2022 11:47
Para: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Asunto: Re: certificate expired with PEAP/MSCHAPv2/Android 11 in WiFi

Thank you very much for replying !

By client, do you mean the WiFi access point or the Android device ?


Le mar. 28 juin 2022 à 22:13, Alan DeKok <aland at deployingradius.com> a écrit :
>
> On Jun 28, 2022, at 10:54 AM, Olivier <oza.4h07 at gmail.com> wrote:
> > For some times now, Android 11 requires cert validation in WiFi 
> > connections (see [1]).
> > At the same time, Android 11 also makes it much harder for end users 
> > to import self-signed root CA (see [2]).
> > As I provide WiFi connectivity in BYOD environments and can't help 
> > end users when they import certs, I choosed to test PEAP/MSCHAPv2 
> > with LetsEncrypt certs though I know this would be less secure than 
> > with self-signed root CA.
>
>   That's fine.
>
> > My lab setup includes:
> > - a Freeradius 3.0.21 on Debian Bullseye
>
>   I would very much suggest using 3.2.0.  It has better debugging for 
> TLS.  And packages are available on http://packages.networkradius.com
>
> > (26) eap_peap: <<< recv TLS 1.3  [length 007e]
>
>   i.e. from the client
>
> > (26) eap_peap: TLS_accept: SSLv3/TLS read client hello
> > (26) eap_peap: >>> send TLS 1.2  [length 003d]
>
>   i.e. FreeRADIUS is sending this.
>
> > (31) eap_peap: <<< recv TLS 1.2  [length 0002]
> > (31) eap_peap: ERROR: TLS Alert read:fatal:certificate expired
>
>   The client is sending this message to FreeRADIUS.
>
>   i.e. the client doesn't like the certificate sent by FreeRADIUS.
>
>   If the certificate isn't expired, then you need to fix the client.  Either it's time is wrong, or something else is going on.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list