802.1x with GoDaddy Certificates EAP-TTLS
work vlpl
thework.vlpl at gmail.com
Sat Jul 22 16:47:17 UTC 2023
> On 22 Jul 2023, at 17:24, johan firdianto <johanfirdi at gmail.com> wrote:
>
> This CA is for browser or for eap ?
Yes, but I think is named system CA store i.e it is not special or used just for the browsers.
I think it depends on Android. Different vendors might not use stock Android and reimplement or cripple base UI, so maybe your device does not expose settings to select CA store.
Under the hood, Android uses wpa_supplicant and just passes to it parameters to do wifi/radius authorization. If your UI does not show what CA store will be used, you can try to enable debug logs and then examine them.
Here are the logs from my device, I've redacted personal info.
WifiNetworkSuggestionsManager: Enterprise config:
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: anonymous_identity "anon at fjf.com"
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: password <removed>
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: proactive_key_caching 1
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: client_cert NULL
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: key_id NULL
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: engine 0
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: engine_id NULL
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: identity "username at whatever.com"
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: ca_path "/system/etc/security/cacerts"
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: domain_suffix_match "radius.whatever.com"
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: ca_cert NULL
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: eap_method: PEAP
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: phase2_method: MSCHAPV2
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: ocsp: 0
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: trust_on_first_use: false
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: user_approve_no_ca_cert: false
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: selected_rcoi: 0
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: IP config:
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: IP assignment: DHCP
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: Proxy settings: NONE
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: cuid=1000 cname=android.uid.system:1000 luid=1000 lname=android.uid.system:1000 lcuid=1000 allowAutojoin=true noInternetAccessExpected=false mostRecentlyConnected=false
07-22 15:09:45.059 1625 1794 V WifiNetworkSuggestionsManager: lastConnected: 07-22 15:08:45.489
07-22 15:08:39.738 10133 10133 D wpa_supplicant: SSL: SSL_connect:TLS client verify_server_certificate
07-22 15:08:39.753 10133 10133 D wpa_supplicant: OpenSSL: Peer certificate - depth 2
07-22 15:08:39.753 10133 10133 D wpa_supplicant: Certificate:
07-22 15:08:39.753 10133 10133 D wpa_supplicant: Data:
07-22 15:08:39.753 10133 10133 D wpa_supplicant: Version: 3 (0x2)
07-22 15:08:39.753 10133 10133 D wpa_supplicant: Serial Number:
07-22 15:08:39.753 10133 10133 D wpa_supplicant: 03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5
07-22 15:08:39.753 10133 10133 D wpa_supplicant: Signature Algorithm: sha256WithRSAEncryption
07-22 15:08:39.753 10133 10133 D wpa_supplicant: Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
07-22 15:08:39.753 10133 10133 D wpa_supplicant: Validity
07-22 15:08:39.753 10133 10133 D wpa_supplicant: Not Before: Aug 1 12:00:00 2013 GMT
07-22 15:08:39.753 10133 10133 D wpa_supplicant: Not After : Jan 15 12:00:00 2038 GMT
07-22 15:08:39.753 10133 10133 D wpa_supplicant: Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
07-22 15:08:39.753 10133 10133 D wpa_supplicant: Subject Public Key Info:
07-22 15:08:39.753 10133 10133 D wpa_supplicant: Public Key Algorithm: rsaEncryption
07-22 15:08:39.753 10133 10133 D wpa_supplicant: Public-Key: (2048 bit)
07-22 15:08:39.753 10133 10133 D wpa_supplicant: Modulus:
07-22 15:08:39.753 10133 10133 D wpa_supplicant: 00:bb:37:cd:34:dc:7b:6b:c9:b2:68:90:ad:4a:75:
07-22 15:08:39.753 10133 10133 D wpa_supplicant: ff:46:ba:21:0a:08:8d:f5:19:54:c9:fb:88:db:f3:
07-22 15:08:39.753 10133 10133 D wpa_supplicant: ae:f2:3a:89:91:3c:7a:e6:ab:06:1a:6b:cf:ac:2d:
07-22 15:08:39.753 10133 10133 D wpa_supplicant: e8:5e:09:24:44:ba:62:9a:7e:d6:a3:a8:7e:e0:54:
07-22 15:08:39.753 10133 10133 D wpa_supplicant: 75:20:05:ac:50:b7:9c:63:1a:6c:30:dc:da:1f:19:
07-22 15:08:39.753 10133 10133 D wpa_supplicant: b1:d7:1e:de:fd:d7:e0:cb:
07-22 15:08:39.754 10133 10133 I wpa_supplicant: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2' hash=cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
07-22 15:08:39.755 10133 10133 D wpa_supplicant: TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=2 buf='/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2'
...
07-22 15:08:39.766 10133 10133 D wpa_supplicant: OpenSSL: Certificate Policy 2.23.140.1.2.2
07-22 15:08:39.766 10133 10133 I wpa_supplicant: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=<...>.com' hash=4
07-22 15:08:39.769 10133 10133 I wpa_supplicant: wlan0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:<...>.com
07-22 15:08:39.769 10133 10133 D wpa_supplicant: TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=0 buf='<...>.com'
07-22 15:08:39.769 10133 10133 D wpa_supplicant: TLS: Match domain against suffix <...>.com
07-22 15:08:39.769 10133 10133 D wpa_supplicant: TLS: Certificate dNSName - hexdump(len=24): <....>
07-22 15:08:39.769 10133 10133 D wpa_supplicant: TLS: Suffix match in dNSName found
07-22 15:08:39.769 10133 10133 D wpa_supplicant: EAP: Status notification: remote certificate verification (param=success)
More information about the Freeradius-Users
mailing list