How to investigate failed Android authentication (EAP-TLS) on WiFi reconnection

Jorge Pereira jpereira at freeradius.org
Thu Nov 10 18:51:12 UTC 2022 

Upgrade your software as Alan said. Other than that, we strongly recommend to use official packages available in https://packages.networkradius.com/ <https://packages.networkradius.com/>


> On 10 Nov 2022, at 12:54, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On Nov 10, 2022, at 3:46 PM, Dario Barbon <dbarbon at olicom.eu> wrote:
>> 
>> Hello, I've a Linux Ubuntu 18.04
> 
>  ???
> 
>  Upgrade.
> 
>> server with Freeradius 3.0.16
> 
>  Definitely upgrade.  There are many fixes, and many better error messages in newer versions.
> 
>  There are also many changes to supported OpenSSL ciphers.  Which means that newer devices are more likely to have problems with a nearly 7 year-old server.
> 
>> on x86_64 virtual machine.
>> 
>> Freeradius is used only to provide Android devices authentication (EAP-TLS); the authentication works.
>> The WiFi network was installed by my client: it is a geographical distributed WiFi with a controller and 10 access points.
>> Sometimes, when one smartphone moves out of WiFi network area and then come back, the connection to WiFi fails. I can reconnect only after a WiFi off / on from Android network settings.
>> 
>> I want to investigate this behaviour; I've found these recurring errors inside last month log files:
>> 
>> ERROR: rlm_eap (EAP): No EAP session matching state 0x3d4e1475385119b8
> 
> Some kind of network problem.
> 
>> ERROR: TLS Alert write:fatal:protocol version
>> 
>> ERROR: TLS Alert read : fatal:unknown CA
>> 
>> ERROR: (658258) eap_tls: ERROR: TLS Alert read : fatal : internal error
>> 
>> ERROR: (644636) eap_tls: ERROR: TLS Alert read : fatal:bad certificate
> 
>  TLS negotiation issues.
> 
>> ERROR: (639156) eap: ERROR: rlm_eap (EAP): Aborting! More than 50 roundtrips made in session with state 0xfd858905cfb18490
> 
>  A broken device.
> 
>> ERROR: (367333) eap_tls: ERROR: TLS Alert write:fatal:protocol version
> 
>  TLS negotiation issues.
> 
>> Could you please suggest a debug checklist / debug process to help me understand why this behaviour happen?
> 
>  Upgrade.  Then debug.
> 
>  There is zero reason to debug issues with 7 year-old software.  The issues have been found and fixed years ago.
> 
>  Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Jorge Pereira
jpereira at networkradius.com

More information about the Freeradius-Users mailing list