'RE: certificate expired with PEAP/MSCHAPv2/Android 11 in WiFi'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    RE: certificate expired with PEAP/MSCHAPv2/Android 11 in WiFi
From:       Julio Edel Salas DÃaz <julio.salas () emincar ! com>
Date:       2022-12-20 18:44:07
Message-ID: 1a60f47569d94c4ba07e22b079e06a34 () EMC-STLWEX-03 ! EMINCAR ! ATPC
[Download RAW message or body]

Hi Oliver, I don't know if you have solved the problem, but the way to solve it is: \
when you generate the certificate with acme.sh add this parameter '--preferred-chain \
"ISRG Root X1"'. Greetings.
-----Mensaje original-----
De: Freeradius-Users \
<freeradius-users-bounces+julio.salas=emincar.com@lists.freeradius.org> En nombre de \
Olivier Enviado el: miÃ©rcoles, 29 de junio de 2022 11:47
Para: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Asunto: Re: certificate expired with PEAP/MSCHAPv2/Android 11 in WiFi

Thank you very much for replying !

By client, do you mean the WiFi access point or the Android device ?


Le mar. 28 juin 2022 Ã  22:13, Alan DeKok <aland@deployingradius.com> a Ã©crit :
> 
> On Jun 28, 2022, at 10:54 AM, Olivier <oza.4h07@gmail.com> wrote:
> > For some times now, Android 11 requires cert validation in WiFi 
> > connections (see [1]).
> > At the same time, Android 11 also makes it much harder for end users 
> > to import self-signed root CA (see [2]).
> > As I provide WiFi connectivity in BYOD environments and can't help 
> > end users when they import certs, I choosed to test PEAP/MSCHAPv2 
> > with LetsEncrypt certs though I know this would be less secure than 
> > with self-signed root CA.
> 
> That's fine.
> 
> > My lab setup includes:
> > - a Freeradius 3.0.21 on Debian Bullseye
> 
> I would very much suggest using 3.2.0.  It has better debugging for 
> TLS.  And packages are available on http://packages.networkradius.com
> 
> > (26) eap_peap: <<< recv TLS 1.3  [length 007e]
> 
> i.e. from the client
> 
> > (26) eap_peap: TLS_accept: SSLv3/TLS read client hello
> > (26) eap_peap: >>> send TLS 1.2  [length 003d]
> 
> i.e. FreeRADIUS is sending this.
> 
> > (31) eap_peap: <<< recv TLS 1.2  [length 0002]
> > (31) eap_peap: ERROR: TLS Alert read:fatal:certificate expired
> 
> The client is sending this message to FreeRADIUS.
> 
> i.e. the client doesn't like the certificate sent by FreeRADIUS.
> 
> If the certificate isn't expired, then you need to fix the client.  Either it's \
> time is wrong, or something else is going on. 
> Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic