eap_peap: ERROR: (TLS) Alert read:fatal:unknown CA

Alan DeKok aland at deployingradius.com
Fri Jan 5 15:18:58 UTC 2024 

On Jan 5, 2024, at 10:09 AM, Dario Barbon <dbarbon at olicom.eu> wrote:
> My production Freeradius server is configured to perform EAP-TLS; I created private CA, server certificate and client certificates. All certificates are stored inside freeradius/certs directory. Below the production mods-available/eap file  :

  http://wiki.freeradius.org/list-help

  We don't need to see the configuration files.  It doesn't help.

> and the production virtual server file (sites-enabled/tlcamb-tag):

  You're trying to debug the supplicant by looking at the server configuration.  That's not a good idea.

> With this configuration in place I can connect to enterprise WiFi from Android devices. But very often only Android 11 devices (I don't really know why) "losts" client certificates. The  installed certificates get removed from the device itself (often when the device get out of WiFi range for one hour or more). So, to address this problem, I'm trying to add MSCHAPv2 and I updated eap file adding peap directives as follows:

  I would be very surprised if Android devices deleted their client certificates.  That's pathologically bad behavior.

  What does the debug output show for a system which has "lost" it's client certificate?\

> With the updated configuration in place I continue to successfully connect to WiFi using EAP-TLS while if I try MSCHAPv2 I cannot connect. ]

  And the debug output says... what?

  If it says "unknown CA", I already explained what the problem is, and what needs to be done to fix it.

> I configured Android WiFi profile as follows:
> 
> EAP Method: PEAP
> Phase 2 authentication: MSCHAPv2
> CA Certificate: use system certificates

  Perhaps that's the issue.  As I said, you have to configure the supplicant with the CA used to generate the server certificate.

> Online certificate status: do not validate

  That field is likely being ignored.

> Domain: I'm using the value of the commonName field of CA config file
> Identity: bob (the test user inside freeradius/users file)
> Password: whatever
> 
> Please take note that the lost client certificate issue affects only Android 11 devices; different OS versions aren't affected.

  So it's an android issue.  Looking at the FreeRADIUS configuration won't help.

  Configure the Android systems with the server CA as I said before.  Run the server in debug mode to see what happens.  Don't post configuration files to the list.

  Alan DeKok.

More information about the Freeradius-Users mailing list