certificate expired with PEAP/MSCHAPv2/Android 11 in WiFi

Alan DeKok aland at deployingradius.com
Tue Jun 28 20:13:39 UTC 2022

On Jun 28, 2022, at 10:54 AM, Olivier <oza.4h07 at gmail.com> wrote:
> For some times now, Android 11 requires cert validation in WiFi
> connections (see [1]).
> At the same time, Android 11 also makes it much harder for end users
> to import self-signed root CA (see [2]).
> As I provide WiFi connectivity in BYOD environments and can't help end
> users when they import certs, I choosed to test PEAP/MSCHAPv2 with
> LetsEncrypt certs though I know this would be less secure than with
> self-signed root CA.

  That's fine.

> My lab setup includes:
> - a Freeradius 3.0.21 on Debian Bullseye

  I would very much suggest using 3.2.0.  It has better debugging for TLS.  And packages are available on http://packages.networkradius.com

> (26) eap_peap: <<< recv TLS 1.3  [length 007e]

  i.e. from the client

> (26) eap_peap: TLS_accept: SSLv3/TLS read client hello
> (26) eap_peap: >>> send TLS 1.2  [length 003d]

  i.e. FreeRADIUS is sending this.

> (31) eap_peap: <<< recv TLS 1.2  [length 0002]
> (31) eap_peap: ERROR: TLS Alert read:fatal:certificate expired

  The client is sending this message to FreeRADIUS.

  i.e. the client doesn't like the certificate sent by FreeRADIUS.

  If the certificate isn't expired, then you need to fix the client.  Either it's time is wrong, or something else is going on.

  Alan DeKok.

More information about the Freeradius-Users mailing list