certificate expired with PEAP/MSCHAPv2/Android 11 in WiFi
Olivier
oza.4h07 at gmail.com
Wed Jun 29 15:47:09 UTC 2022
Thank you very much for replying !
By client, do you mean the WiFi access point or the Android device ?
Le mar. 28 juin 2022 à 22:13, Alan DeKok <aland at deployingradius.com> a écrit :
>
> On Jun 28, 2022, at 10:54 AM, Olivier <oza.4h07 at gmail.com> wrote:
> > For some times now, Android 11 requires cert validation in WiFi
> > connections (see [1]).
> > At the same time, Android 11 also makes it much harder for end users
> > to import self-signed root CA (see [2]).
> > As I provide WiFi connectivity in BYOD environments and can't help end
> > users when they import certs, I choosed to test PEAP/MSCHAPv2 with
> > LetsEncrypt certs though I know this would be less secure than with
> > self-signed root CA.
>
> That's fine.
>
> > My lab setup includes:
> > - a Freeradius 3.0.21 on Debian Bullseye
>
> I would very much suggest using 3.2.0. It has better debugging for TLS. And packages are available on http://packages.networkradius.com
>
> > (26) eap_peap: <<< recv TLS 1.3 [length 007e]
>
> i.e. from the client
>
> > (26) eap_peap: TLS_accept: SSLv3/TLS read client hello
> > (26) eap_peap: >>> send TLS 1.2 [length 003d]
>
> i.e. FreeRADIUS is sending this.
>
> > (31) eap_peap: <<< recv TLS 1.2 [length 0002]
> > (31) eap_peap: ERROR: TLS Alert read:fatal:certificate expired
>
> The client is sending this message to FreeRADIUS.
>
> i.e. the client doesn't like the certificate sent by FreeRADIUS.
>
> If the certificate isn't expired, then you need to fix the client. Either it's time is wrong, or something else is going on.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list