Certificate issues

Alan DeKok aland at deployingradius.com
Fri Mar 25 21:17:16 UTC 2022 

On Mar 24, 2022, at 6:13 PM, Ben Dronen <dronenb at andrews.edu> wrote:
> Thank you all for your hard work in keeping FreeRadius excellent. I am
> currently running FreeRADIUS 3.0.20. I am looking to solve an issue with
> using a certificate purchased from GlobalSign with Android 11 clients. When
> connecting to WiFi, we select EAP-PEAP and MSCHAPv2, then as the domain we
> put the CA of the certificate we purchased, but when connecting, we get the
> "ERROR: TLS Alert read:fatal:unknown CA".

  Which means that the CA isn't known to the Android device.

> I have seen some information on
> this error in previous threads (Alan DeKok said in a previous thread that
> "That's an alert from the client. It doesn't recognize the CA which signed
> the server certificate.").

  Yes.

> However, according to the list of official CA's
> found here:
> https://android.googlesource.com/platform/system/ca-certificates/+/master/files/,
> the GlobalSign Root CA is part of Android (filename b0f3e76e.0).

  That's for *web* use.  If you want to use that CA for *Wifi* you have to enable it manually.

> I was able
> to get this working fine with a Let's Encrypt Certificate (using cert.pem
> as the certificate_file in mods-enabled/eap and fullchain.pem as the
> ca_file in mods-enabled/eap). However, this isn't working with the
> GlobalSign cert.pem and fullchain.pem (which I created manually with the
> certificate and CA chain). Does anybody have any insights?

  Configure Wifi / EAP on the Android device so that it accepts the CA you're using.  Nothing else will fix the problem.

> When making the
> fullchain.pem (shown below), I did it in this order: server, intermediate,
> then root, like the Let's Encrypt fullchain.pem was, to no avail. The
> reason we are using a GlobalSign certificate instead of the Let's Encrypt
> certificate is so iOS users don't have to re-accept a new certificate every
> 90 days, only once per year. The reason for needing a cert from a signed CA
> is so Android users don't have to import a CA to get on our 802.1x network.
> My insights on the certificate chain have come from this article:
> https://extremeportal.force.com/ExtrArticleDetail?an=000092023

  Which says to configure the Android device to "use system certificates".  That hasn't been done here.

  Alan DeKok.

More information about the Freeradius-Users mailing list