No subject
Philippe MARASSE
philippe.marasse at ch-poitiers.fr
Mon Mar 28 13:10:21 UTC 2022
Hello,
With a recent Android device >= 4.4 , instead of using EAP-PEAP+MSCHAPv2
which can be a little painful to configure for users (eg anonymous vs
non-anonymous identity), you can enable EAP-PWD :
- no need to accept a certificate
- far less packets exchanged to get authenticated.
The only drawback : You have to know user's password in plain text.
Here for employees wifi, the default eap type has been set to pwd, and
apple devices, which are not able to do eap-pwd as far as I know,
continue to work.
Regards.
Le 24/03/2022 à 23:13, Ben Dronen a écrit :
> Hello all,
>
> Thank you all for your hard work in keeping FreeRadius excellent. I am
> currently running FreeRADIUS 3.0.20. I am looking to solve an issue with
> using a certificate purchased from GlobalSign with Android 11 clients. When
> connecting to WiFi, we select EAP-PEAP and MSCHAPv2, then as the domain we
> put the CA of the certificate we purchased, but when connecting, we get the
> "ERROR: TLS Alert read:fatal:unknown CA". I have seen some information on
> this error in previous threads (Alan DeKok said in a previous thread that
> "That's an alert from the client. It doesn't recognize the CA which signed
> the server certificate."). However, according to the list of official CA's
> found here:
> https://android.googlesource.com/platform/system/ca-certificates/+/master/files/,
> the GlobalSign Root CA is part of Android (filename b0f3e76e.0). I was able
> to get this working fine with a Let's Encrypt Certificate (using cert.pem
> as the certificate_file in mods-enabled/eap and fullchain.pem as the
> ca_file in mods-enabled/eap). However, this isn't working with the
> GlobalSign cert.pem and fullchain.pem (which I created manually with the
> certificate and CA chain). Does anybody have any insights? When making the
> fullchain.pem (shown below), I did it in this order: server, intermediate,
> then root, like the Let's Encrypt fullchain.pem was, to no avail. The
> reason we are using a GlobalSign certificate instead of the Let's Encrypt
> certificate is so iOS users don't have to re-accept a new certificate every
> 90 days, only once per year. The reason for needing a cert from a signed CA
> is so Android users don't have to import a CA to get on our 802.1x network.
> My insights on the certificate chain have come from this article:
> https://extremeportal.force.com/ExtrArticleDetail?an=000092023
>
> Relevant output of freeradius -X
>
> (4) eap: Expiring EAP session with state 0x070e85d2040b9ce9
> (4) eap: Finished EAP session with state 0x070e85d2040b9ce9
> (4) eap: Previous EAP request found for state 0x070e85d2040b9ce9, released
> from the list
> (4) eap: Peer sent packet with method EAP PEAP (25)
> (4) eap: Calling submodule eap_peap to process data
> (4) eap_peap: Continuing EAP-TLS
> (4) eap_peap: Peer indicated complete TLS record size will be 7 bytes
> (4) eap_peap: Got complete TLS record (7 bytes)
> (4) eap_peap: [eaptls verify] = length included
> (4) eap_peap: <<< recv TLS 1.2 [length 0002]
> (4) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
> (4) eap_peap: TLS_accept: Need to read more data: error
> (4) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL
> routines:ssl3_read_bytes:tlsv1 alert unknown ca
> (4) eap_peap: TLS - In Handshake Phase
> (4) eap_peap: TLS - Application data.
> (4) eap_peap: ERROR: TLS failed during operation
> (4) eap_peap: ERROR: [eaptls process] = fail
> (4) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module
> failed
> (4) eap: Sending EAP Failure (code 4) ID 5 length 4
> (4) eap: Failed in EAP select
>
> My cert.pem:
>
> -----BEGIN CERTIFICATE-----
> MIIGmzCCBYOgAwIBAgIMajBJIuY5b8BN+l6mMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
> BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H
> bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yMjAzMjExNDM2MjBaFw0y
> MzA0MjIxNDM2MTlaMHcxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNaWNoaWdhbjEY
> MBYGA1UEBxMPQmVycmllbiBTcHJpbmdzMRswGQYDVQQKExJBbmRyZXdzIFVuaXZl
> cnNpdHkxHjAcBgNVBAMTFWF1LXNlY3VyZS5hbmRyZXdzLmVkdTCCASIwDQYJKoZI
> hvcNAQEBBQADggEPADCCAQoCggEBAMoRZG3RnxHctqFla/2iY9DQbz5pJ9nMCmNK
> 3YCH6JI9W8hDgBxut9XuOn/AueFw7CwUII7Srbz4KorexY3Eiqv8SkcBKUBt1JBq
> UEmHE/8Yyrimd92H7FLA1uTlDGBzxTHdwxVeNqPuyAFI2KFTLu5VC5SQHw2Lv+mv
> ZGoXAwJWX5sMI3eg9900YQdRmE7kB2K3TUwLsceK+XUl33klyO2iLzawWuBW/9ot
> q1XBXlDa+yzQjSWjy3tqXBbpG1vR0wUTSg+SJfefxnmS7/2zxiw92twMssxlIBRR
> /RQy6F9hFqHCe5GlcScRtdLuXsB5ZkeGJ8O2lwyhysSBG7QD6YECAwEAAaOCA0ww
> ggNIMA4GA1UdDwEB/wQEAwIFoDCBjgYIKwYBBQUHAQEEgYEwfzBEBggrBgEFBQcw
> AoY4aHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3Nyc2FvdnNz
> bGNhMjAxOC5jcnQwNwYIKwYBBQUHMAGGK2h0dHA6Ly9vY3NwLmdsb2JhbHNpZ24u
> Y29tL2dzcnNhb3Zzc2xjYTIwMTgwVgYDVR0gBE8wTTBBBgkrBgEEAaAyARQwNDAy
> BggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9y
> eS8wCAYGZ4EMAQICMAkGA1UdEwQCMAAwPwYDVR0fBDgwNjA0oDKgMIYuaHR0cDov
> L2NybC5nbG9iYWxzaWduLmNvbS9nc3JzYW92c3NsY2EyMDE4LmNybDAgBgNVHREE
> GTAXghVhdS1zZWN1cmUuYW5kcmV3cy5lZHUwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
> CCsGAQUFBwMCMB8GA1UdIwQYMBaAFPjvf/LNeGeo3m+PJI2I8YcDArPrMB0GA1Ud
> DgQWBBSuJYTQuH88gmK+ehPZAXGlCZc7VjCCAX4GCisGAQQB1nkCBAIEggFuBIIB
> agFoAHYAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAF/rOhWdwAA
> BAMARzBFAiEA7oIQ46pAtSxjGcywhFYHCWPEI5PuAOB20HCx9jCjbhQCIAw/KCRe
> d63rnJIvNT0T96QhkVkPOCyNrEE37FrfbKvDAHYAVYHUwhaQNgFK6gubVzxT8MDk
> OHhwJQgXL6OqHQcT0wwAAAF/rOhWmQAABAMARzBFAiBp6kxFIdsObn7hKvLLA69a
> vBivCO35gFZgzjH0D+hfhQIhAMvcW4tKlTbX0JEINiqOnSW82eccD+ThfRl5XTtX
> ZIFGAHYArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooAAAF/rOhWtQAA
> BAMARzBFAiEAgu8iuMwhI75ZZNKaR5kSN6YUI3RjbImfCSu5CeJeTboCIG9Vr+rc
> X/n7HcYNfBmAko55Wb/ZuS/fyBTB2xLFY3JFMA0GCSqGSIb3DQEBCwUAA4IBAQCW
> vXCgRBJ7c46coIF+ZbSRa9gb0kRC5L9s+/Y9J7O20zzbrqV03Gf+ylTYl+P39h0d
> l0pHYnoDCHXcXxdvQLtlJNKNrusk+pr4SAE3rgONnvibLHD+g77oNwLJgDkH4i7/
> 6WGj7T7PWgO9H8YT4bPSl3tu94QSriSCgrf5aNUSCtpT5LqaL8DDBBdDvAS8fACC
> l9j4lHXGUP9W7cUujt8gY27+jOeSguY7YU5a1kM4uKjSqEsk09/ZdcAlKs5mXyUV
> 1zhoBPfkgElepbAzKqOdcVB+3u9cxaXRqEtgG7CZb4KZ4ADx52sWOVgNs36q4rTe
> DquX1hAsN3eajRspE+Rh
> -----END CERTIFICATE-----
>
> My fullchain.pem:
>
> -----BEGIN CERTIFICATE-----
> MIIGmzCCBYOgAwIBAgIMajBJIuY5b8BN+l6mMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
> BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H
> bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yMjAzMjExNDM2MjBaFw0y
> MzA0MjIxNDM2MTlaMHcxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNaWNoaWdhbjEY
> MBYGA1UEBxMPQmVycmllbiBTcHJpbmdzMRswGQYDVQQKExJBbmRyZXdzIFVuaXZl
> cnNpdHkxHjAcBgNVBAMTFWF1LXNlY3VyZS5hbmRyZXdzLmVkdTCCASIwDQYJKoZI
> hvcNAQEBBQADggEPADCCAQoCggEBAMoRZG3RnxHctqFla/2iY9DQbz5pJ9nMCmNK
> 3YCH6JI9W8hDgBxut9XuOn/AueFw7CwUII7Srbz4KorexY3Eiqv8SkcBKUBt1JBq
> UEmHE/8Yyrimd92H7FLA1uTlDGBzxTHdwxVeNqPuyAFI2KFTLu5VC5SQHw2Lv+mv
> ZGoXAwJWX5sMI3eg9900YQdRmE7kB2K3TUwLsceK+XUl33klyO2iLzawWuBW/9ot
> q1XBXlDa+yzQjSWjy3tqXBbpG1vR0wUTSg+SJfefxnmS7/2zxiw92twMssxlIBRR
> /RQy6F9hFqHCe5GlcScRtdLuXsB5ZkeGJ8O2lwyhysSBG7QD6YECAwEAAaOCA0ww
> ggNIMA4GA1UdDwEB/wQEAwIFoDCBjgYIKwYBBQUHAQEEgYEwfzBEBggrBgEFBQcw
> AoY4aHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3Nyc2FvdnNz
> bGNhMjAxOC5jcnQwNwYIKwYBBQUHMAGGK2h0dHA6Ly9vY3NwLmdsb2JhbHNpZ24u
> Y29tL2dzcnNhb3Zzc2xjYTIwMTgwVgYDVR0gBE8wTTBBBgkrBgEEAaAyARQwNDAy
> BggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9y
> eS8wCAYGZ4EMAQICMAkGA1UdEwQCMAAwPwYDVR0fBDgwNjA0oDKgMIYuaHR0cDov
> L2NybC5nbG9iYWxzaWduLmNvbS9nc3JzYW92c3NsY2EyMDE4LmNybDAgBgNVHREE
> GTAXghVhdS1zZWN1cmUuYW5kcmV3cy5lZHUwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
> CCsGAQUFBwMCMB8GA1UdIwQYMBaAFPjvf/LNeGeo3m+PJI2I8YcDArPrMB0GA1Ud
> DgQWBBSuJYTQuH88gmK+ehPZAXGlCZc7VjCCAX4GCisGAQQB1nkCBAIEggFuBIIB
> agFoAHYAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAF/rOhWdwAA
> BAMARzBFAiEA7oIQ46pAtSxjGcywhFYHCWPEI5PuAOB20HCx9jCjbhQCIAw/KCRe
> d63rnJIvNT0T96QhkVkPOCyNrEE37FrfbKvDAHYAVYHUwhaQNgFK6gubVzxT8MDk
> OHhwJQgXL6OqHQcT0wwAAAF/rOhWmQAABAMARzBFAiBp6kxFIdsObn7hKvLLA69a
> vBivCO35gFZgzjH0D+hfhQIhAMvcW4tKlTbX0JEINiqOnSW82eccD+ThfRl5XTtX
> ZIFGAHYArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooAAAF/rOhWtQAA
> BAMARzBFAiEAgu8iuMwhI75ZZNKaR5kSN6YUI3RjbImfCSu5CeJeTboCIG9Vr+rc
> X/n7HcYNfBmAko55Wb/ZuS/fyBTB2xLFY3JFMA0GCSqGSIb3DQEBCwUAA4IBAQCW
> vXCgRBJ7c46coIF+ZbSRa9gb0kRC5L9s+/Y9J7O20zzbrqV03Gf+ylTYl+P39h0d
> l0pHYnoDCHXcXxdvQLtlJNKNrusk+pr4SAE3rgONnvibLHD+g77oNwLJgDkH4i7/
> 6WGj7T7PWgO9H8YT4bPSl3tu94QSriSCgrf5aNUSCtpT5LqaL8DDBBdDvAS8fACC
> l9j4lHXGUP9W7cUujt8gY27+jOeSguY7YU5a1kM4uKjSqEsk09/ZdcAlKs5mXyUV
> 1zhoBPfkgElepbAzKqOdcVB+3u9cxaXRqEtgG7CZb4KZ4ADx52sWOVgNs36q4rTe
> DquX1hAsN3eajRspE+Rh
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> MIIEYDCCA0igAwIBAgILBAAAAAABL07hRQwwDQYJKoZIhvcNAQEFBQAwVzELMAkG
> A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
> b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xMTA0MTMxMDAw
> MDBaFw0yMjA0MTMxMDAwMDBaMF0xCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
> YWxTaWduIG52LXNhMTMwMQYDVQQDEypHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBW
> YWxpZGF0aW9uIENBIC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
> AQDdNR3yIFQmGtDvpW+Bdllw3Of01AMkHyQOnSKf1Ccyeit87ovjYWI4F6+0S3qf
> ZyEcLZVUunm6tsTyDSF0F2d04rFkCJlgePtnwkv3J41vNnbPMYzl8QbX3FcOW6zu
> zi2rqqlwLwKGyLHQCAeV6irs0Z7kNlw7pja1Q4ur944+ABv/hVlrYgGNguhKujiz
> 4MP0bRmn6gXdhGfCZsckAnNate6kGdn8AM62pI3ffr1fsjqdhDFPyGMM5NgNUqN+
> ARvUZ6UYKOsBp4I82Y4d5UcNuotZFKMfH0vq4idGhs6dOcRmQafiFSNrVkfB7cVT
> 5NSAH2v6gEaYsgmmD5W+ZoiTAgMBAAGjggElMIIBITAOBgNVHQ8BAf8EBAMCAQYw
> EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUXUayjcRLdBy77fVztjq3OI91
> nn4wRwYDVR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3
> Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCowKKAmoCSGImh0
> dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYBBQUHAQEEMTAv
> MC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290cjEw
> HwYDVR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZIhvcNAQEFBQAD
> ggEBABvgiADHBREc/6stSEJSzSBo53xBjcEnxSxZZ6CaNduzUKcbYumlO/q2IQen
> fPMOK25+Lk2TnLryhj5jiBDYW2FQEtuHrhm70t8ylgCoXtwtI7yw07VKoI5lkS/Z
> 9oL2dLLffCbvGSuXL+Ch7rkXIkg/pfcNYNUNUUflWP63n41edTzGQfDPgVRJEcYX
> pOBWYdw9P91nbHZF2krqrhqkYE/Ho9aqp9nNgSvBZnWygI/1h01fwlr1kMbawb30
> hag8IyrhFHvBN91i0ZJsumB9iOQct+R2UTjEqUdOqCsukNK1OFHrwZyKarXMsh3o
> wFZUTKiL8IkyhtyTMr5NGvo1dbU=
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
> A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
> b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
> MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
> YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
> aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
> jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
> xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
> 1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
> snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
> U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
> 9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
> BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
> AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
> yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
> 38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
> AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
> DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
> HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
> -----END CERTIFICATE-----
>
> Thank you for your assistance. Apologies if this is a stupid question, I
> have tried to solve this on my own but am currently at a roadblock*.*
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Philippe MARASSE
Responsable pôle Infrastructures
Direction de l'Informatique, Support à la Communication et à l'Organisation (DISCO)
Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Cœur
86021 Poitiers Cedex
Tel : 05.49.44.57.19
More information about the Freeradius-Users
mailing list