How to investigate failed Android authentication (EAP-TLS) on WiFi reconnection

[Alan DeKok]

On Nov 10, 2022, at 3:46 PM, Dario Barbon <dbarbon at olicom.eu> wrote:
> 
> Hello, I've a Linux Ubuntu 18.04

  ???

  Upgrade.

> server with Freeradius 3.0.16

  Definitely upgrade.  There are many fixes, and many better error messages in newer versions.

  There are also many changes to supported OpenSSL ciphers.  Which means that newer devices are more likely to have problems with a nearly 7 year-old server.

> on x86_64 virtual machine.
> 
> Freeradius is used only to provide Android devices authentication (EAP-TLS); the authentication works.
> The WiFi network was installed by my client: it is a geographical distributed WiFi with a controller and 10 access points.
> Sometimes, when one smartphone moves out of WiFi network area and then come back, the connection to WiFi fails. I can reconnect only after a WiFi off / on from Android network settings.
> 
> I want to investigate this behaviour; I've found these recurring errors inside last month log files:
> 
> ERROR: rlm_eap (EAP): No EAP session matching state 0x3d4e1475385119b8

 Some kind of network problem.

> ERROR: TLS Alert write:fatal:protocol version
> 
> ERROR: TLS Alert read : fatal:unknown CA
> 
> ERROR: (658258) eap_tls: ERROR: TLS Alert read : fatal : internal error
> 
> ERROR: (644636) eap_tls: ERROR: TLS Alert read : fatal:bad certificate

  TLS negotiation issues.

> ERROR: (639156) eap: ERROR: rlm_eap (EAP): Aborting! More than 50 roundtrips made in session with state 0xfd858905cfb18490

  A broken device.

> ERROR: (367333) eap_tls: ERROR: TLS Alert write:fatal:protocol version

  TLS negotiation issues.

> Could you please suggest a debug checklist / debug process to help me understand why this behaviour happen?

  Upgrade.  Then debug.

  There is zero reason to debug issues with 7 year-old software.  The issues have been found and fixed years ago.

  Alan DeKok.