EAP-PEAP Issue with new Android device

Alan DeKok aland at deployingradius.com
Tue Sep 19 12:15:05 UTC 2023 

On Sep 19, 2023, at 7:32 AM, dlux at lux-it-systeme.de wrote:
> while trying to setup a new Android device an issue started to appear:
> Short Story: Authentication fails in the (i guess) P1 phase of EAP-PEAP with
> a message: certificate expired.

  Which means that the certificate expired.  No amount of poking things will un-expire the certificate.

  The cause is:

a) wrong time on the supplicant (likely not)

b) the certificate has actually expired.

c) the supplicant is broken somehow

  Which certificate has expired?  Maybe the server cert, or the CA cert which is on the android device.

> Long Story: 
> The radius server is using LetsEncrypt Server certs for ist TLS
> configuration. That setups works with every device i know of in this
> network.
> A new Android device however seems to behave weird with it. Logging
> Freeradius with the -X flag results with the log below.
> The device is set to not validate the server cert

  Well, it is validating the server cert, isn't it?

> and use EAP-PEAP for P1
> and MSCHAPv2 for P2. kp@<domain-stripped> is the anonymous identity.
> 
> The last message seems rather short (TLS Length 7) which doesn't sound
> right.

  It's an alert from the supplicant to the server.  It's nothing more than an error message explaining why the supplicant is refusing to continue the TLS conversation.

> I know there is an issue with the domain detection because its only checking
> for ntdomain. Thats work for another day.

  This issue has nothing to do with domains.

  Either the supplicant is broken, or some certificate needed by the supplicant has expired.

  Check the server certificate.  If it's fine, then check the CA certificate.  If it's fine, check that the correct CA certificate is on the supplicant.

  After that, throw the supplicant in the garbage and get one that works.  It's very difficult to debug issues with closed devices.

  Or maybe there's an android page somewhere which explains how to debug these issues on android.  It's certainly not a FreeRADIUS problem.

  Alan DeKok.

More information about the Freeradius-Users mailing list