EAP-TLS default config

[Alan DeKok]

On Mar 7, 2023, at 9:58 AM, clement.legoffic at kelio.com wrote:
> 
>> The android phone is not configured to do EAP-TLS.
> 
> Hello, I have manage to setup 2 different android device to connect to my 802.1X network.
> The "user" certs are installed in each device.
> When I initiate the EAP-TLS I get the below debug output.
> The EAP-TLS communication seems to works well, but the communication is end up due to internal error.
> I have not figured out how to manage this error. Does I need to change my TLS version ? 
> What exactly the debug output means here :
> "eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error"

  It's OpenSSL magic.  :(

> ...
> (34) eap: Calling submodule eap_tls to process data
> (34) eap_tls: (TLS) EAP Done initial handshake
> (34) eap_tls: (TLS) recv TLS 1.2 Alert, fatal internal_error
> (34) eap_tls: (TLS) The client is informing us that there is a failure inside the TLS protocol exchange.

  That's the android device saying that it doesn't want to talk to FreeRADIUS.

  Why?  See the logs on the android device.  You can't debug this by looking at the FreeRADIUS logs.

  The general advice here is to make sure that you aren't doing anything unusual with the certificates.  So how were the certificates created?  Where did you get them from?

  You can typically use web certs (and a web CA) for 802.1X, and it will work.  That is well tested.

  But if you're creating the certificates yourself, and doing something special "for security", there's a good chance it won't work.

  Use standard certs.  It's what everyone else does, and it works.
  
  Alan DeKok.