EAP-TLS default config

clement.legoffic at kelio.com clement.legoffic at kelio.com
Wed Mar 8 13:45:33 UTC 2023

> >> The android phone is not configured to do EAP-TLS.
> >
> > Hello, I have manage to setup 2 different android device to connect to my
> 802.1X network.
> > The "user" certs are installed in each device.
> > When I initiate the EAP-TLS I get the below debug output.
> > The EAP-TLS communication seems to works well, but the communication
> is end up due to internal error.
> > I have not figured out how to manage this error. Does I need to change my
> TLS version ?
> > What exactly the debug output means here :
> > "eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:14094438:SSL
> routines:ssl3_read_bytes:tlsv1 alert internal error"
>   It's OpenSSL magic.  :(

Sad, even on android side I get unintelligible log output :(

> > ...
> > (34) eap: Calling submodule eap_tls to process data
> > (34) eap_tls: (TLS) EAP Done initial handshake
> > (34) eap_tls: (TLS) recv TLS 1.2 Alert, fatal internal_error
> > (34) eap_tls: (TLS) The client is informing us that there is a failure inside
> the TLS protocol exchange.
>   That's the android device saying that it doesn't want to talk to FreeRADIUS.
>   Why?  See the logs on the android device.  You can't debug this by looking
> at the FreeRADIUS logs.
>   The general advice here is to make sure that you aren't doing anything
> unusual with the certificates.  So how were the certificates created?  Where
> did you get them from?

I get the certificates from the freeradius certs folder that is inside the freeradius dockerfile.
They are legit and seems to work as they work on an Embedded Linux Device.
The point is that I can't import the original p12 file format provided by the freeradius container.
I am against this error : https://stackoverflow.com/questions/71872900/installing-pcks12-certificate-in-android-wrong-password-bug
I followed the solutions exposed by the two main answer (to test them) and so I get two more p12 files that contains the same certificate and key (I can import them in Android).
I still got the above error on freeradius side and unintelligible logs on Android side.
Is there any specifications for making freeradius working natively with recent Android version or do I have to struggle with OpenSSL ?
My objective is to use EAP-TLS with Android Phone.

>   You can typically use web certs (and a web CA) for 802.1X, and it will work.
> That is well tested.
>   But if you're creating the certificates yourself, and doing something special
> "for security", there's a good chance it won't work.
>   Use standard certs.  It's what everyone else does, and it works.
>   Alan DeKok.
> -

More information about the Freeradius-Users mailing list