Windows Slow EAP-TLS Authentication

Luca Borruto luca.borruto at agicap.com
Fri Sep 20 07:54:59 UTC 2024 

Hi (again) everyone,
This morning I ran into an issue where iOS devices are unable to
authenticate via RadSec (RADIUS over TLS).
Other devices, including Windows, macOS, and Android, work perfectly fine.

Here are the key details:
- No Intermediate Certificates: We are only using our root CA for both our
internal network and the Meraki-generated certificate for RadSec. There is
no intermediate CA in place.
- Configuration: FreeRADIUS is configured with `ca_dir`, as I need to add
both our custom Root CA and the Meraki-generated CA (from the APs) to the
trusted list.

Only iOS devices seem to have this issue, all other devices (Windows,
macOS, and Android) authenticate without any problems.
Here’s a snippet of the logs from an iOS device trying to authenticate:

```
Certificate chain - 1 intermediate CA cert(s) untrusted
To forbid these certificates see 'reject_unknown_intermediate_ca'
(TLS) untrusted certificate with depth [1] subject name
/DC=com/DC=redacted/CN=redacted-CA
(TLS) untrusted certificate with depth [0] subject name /CN=FVFJH7381WFY
...
(4) eap_tls: (TLS) TLS - recv TLS 1.2 Alert, fatal certificate_unknown
(4) eap_tls: (TLS) TLS - The client is informing us that it does not
recognize the server certificate.
(4) eap_tls: ERROR: (TLS) TLS - Alert read:fatal:certificate unknown
(4) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:14094416:SSL
routines:ssl3_read_bytes:sslv3 alert certificate unknown
(4) eap_tls: ERROR: (TLS) Cannot continue, as the peer is misbehaving.
(4) eap_tls: ERROR: [eaptls process] = fail
(4) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module
failed
(4) eap: Sending EAP Failure (code 4) ID 39 length 4
(4) eap: Failed in EAP select
```

It seems like iOS is rejecting the certificate during the handshake,
despite the configuration working fine on other platforms.
Has anyone else experienced this issue with iOS and RadSec or can offer
advice on how to resolve this?

Thanks!

Le ven. 20 sept. 2024 à 04:37, George Benjin <george.benjin at gmail.com> a
écrit :

> That's great news Luca. Happy to help.
>
> Thanks for the offer to pull rank, Alan - we'll keep that in mind!
>
> Cheers
>
>
> On Thu, 19 Sept 2024 at 23:38, Luca Borruto via Freeradius-Users
> <freeradius-users at lists.freeradius.org> wrote:
> >
> > For the update, I’ve set up RadSec and it’s working perfectly now! Thanks
> > y’all for the help!
> >
> > Luca,
> >
> >
> > On Thu 19 Sep 2024 at 13:34, Alan DeKok <aland at deployingradius.com>
> wrote:
> >
> > > On Sep 19, 2024, at 1:51 AM, nabble at felix.world wrote:
> > > > We had this issue years ago and after several meetings, mails,
> capture
> > > analysis the support just blamed FreeRADIUS…
> > >
> > >   If it helps, maybe email me off-list.  I'm usually happy to join
> calls
> > > where I can pull rank on the vendor.
> > >
> > > Vendor: FreeRADIUS Open Source, it's terrible.  We're a billion dollar
> > > company, and filled with geniuses.  Our product is perfect!
> > >
> > > Alan: Hi!  I've been doing RADIUS since 1997.  When did you start your
> IT
> > > career?  Oh, I've also written most of the RADIUS standards.  And if I
> see
> > > that your product does things I don't like, I'll just update the next
> rev
> > > of the standards to forbid it.  At which point your product will be
> > > official non-compliant with the RFCs.  And your customers will be
> pointing
> > > this out during sales calls.  Have a nice day!
> > >
> > > Vendor: Uh... I guess we'll fix it then.
> > >
> > >   I've had these conversations many times.
> > >
> > >   Where facts, logic, and reason don't work, pulling rank generally
> works.
> > >
> > >   Alan DeKok.
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


-- 
[image: logo]
<https://redirect.boostmymail.com/4Zm-4f0296580fcf4e5c80a33af00b0322c6>
Luca Borruto
IT System Administrator

luca.borruto at agicap.com
<https://redirect.boostmymail.com/4Zm-dc5779b061954defacc05e363a5696e4>
<https://redirect.boostmymail.com/4Zm-7a8e60341d744b8bb02d1f09d7d5b840>
[image: Linkedin]
<https://redirect.boostmymail.com/4Zm-a07de2ddc5c94500afa93e8a4151b576> [image:
Youtube]
<https://redirect.boostmymail.com/4Zm-f49d8598b69d4a63a6cab44c1497ad69>

[image: Campaign Banner]
<https://redirect.boostmymail.com/4Zm-5e29a01133f74dd4bd8829ed49588743>

More information about the Freeradius-Users mailing list