[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: RE: certificate expired with PEAP/MSCHAPv2/Android 11 in WiFi
From: Julio Edel Salas DÃaz <julio.salas () emincar ! com>
Date: 2022-12-20 18:44:07
Message-ID: 1a60f47569d94c4ba07e22b079e06a34 () EMC-STLWEX-03 ! EMINCAR ! ATPC
[Download RAW message or body]
Hi Oliver, I don't know if you have solved the problem, but the way to solve it is: \
when you generate the certificate with acme.sh add this parameter '--preferred-chain \
"ISRG Root X1"'. Greetings.
-----Mensaje original-----
De: Freeradius-Users \
<freeradius-users-bounces+julio.salas=emincar.com@lists.freeradius.org> En nombre de \
Olivier Enviado el: miércoles, 29 de junio de 2022 11:47
Para: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Asunto: Re: certificate expired with PEAP/MSCHAPv2/Android 11 in WiFi
Thank you very much for replying !
By client, do you mean the WiFi access point or the Android device ?
Le mar. 28 juin 2022 à 22:13, Alan DeKok <aland@deployingradius.com> a écrit :
>
> On Jun 28, 2022, at 10:54 AM, Olivier <oza.4h07@gmail.com> wrote:
> > For some times now, Android 11 requires cert validation in WiFi
> > connections (see [1]).
> > At the same time, Android 11 also makes it much harder for end users
> > to import self-signed root CA (see [2]).
> > As I provide WiFi connectivity in BYOD environments and can't help
> > end users when they import certs, I choosed to test PEAP/MSCHAPv2
> > with LetsEncrypt certs though I know this would be less secure than
> > with self-signed root CA.
>
> That's fine.
>
> > My lab setup includes:
> > - a Freeradius 3.0.21 on Debian Bullseye
>
> I would very much suggest using 3.2.0. It has better debugging for
> TLS. And packages are available on http://packages.networkradius.com
>
> > (26) eap_peap: <<< recv TLS 1.3 [length 007e]
>
> i.e. from the client
>
> > (26) eap_peap: TLS_accept: SSLv3/TLS read client hello
> > (26) eap_peap: >>> send TLS 1.2 [length 003d]
>
> i.e. FreeRADIUS is sending this.
>
> > (31) eap_peap: <<< recv TLS 1.2 [length 0002]
> > (31) eap_peap: ERROR: TLS Alert read:fatal:certificate expired
>
> The client is sending this message to FreeRADIUS.
>
> i.e. the client doesn't like the certificate sent by FreeRADIUS.
>
> If the certificate isn't expired, then you need to fix the client. Either it's \
> time is wrong, or something else is going on.
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic