'Re: 802.1x with GoDaddy Certificates EAP-TTLS'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: 802.1x with GoDaddy Certificates EAP-TTLS
From:       work vlpl <thework.vlpl () gmail ! com>
Date:       2023-07-22 16:47:17
Message-ID: 09126B32-3499-4C5F-958B-3187F7C17FF7 () gmail ! com
[Download RAW message or body]



> On 22 Jul 2023, at 17:24, johan firdianto <johanfirdi@gmail.com> wrote:
> 
> This CA is for browser or for eap ?

Yes, but I think is named system CA store i.e it is not special or used just for the \
browsers.

I think it depends on Android. Different vendors might not use stock Android and \
reimplement or cripple base UI, so maybe your device does not expose settings to \
select CA store.

Under the hood, Android uses wpa_supplicant and just passes to it parameters to do \
wifi/radius authorization. If your UI does not show what CA store will be used, you \
can try to enable debug logs and then examine them.

Here are the logs from my device, I've redacted personal info.



 WifiNetworkSuggestionsManager: Enterprise config:
07-22 15:09:45.059  1625  1794 V WifiNetworkSuggestionsManager: anonymous_identity \
"anon@fjf.com" 07-22 15:09:45.059  1625  1794 V WifiNetworkSuggestionsManager: \
password <removed> 07-22 15:09:45.059  1625  1794 V WifiNetworkSuggestionsManager: \
proactive_key_caching 1 07-22 15:09:45.059  1625  1794 V \
WifiNetworkSuggestionsManager: client_cert NULL 07-22 15:09:45.059  1625  1794 V \
WifiNetworkSuggestionsManager: key_id NULL 07-22 15:09:45.059  1625  1794 V \
WifiNetworkSuggestionsManager: engine 0 07-22 15:09:45.059  1625  1794 V \
WifiNetworkSuggestionsManager: engine_id NULL 07-22 15:09:45.059  1625  1794 V \
WifiNetworkSuggestionsManager: identity "username@whatever.com" 07-22 15:09:45.059  \
1625  1794 V WifiNetworkSuggestionsManager: ca_path "/system/etc/security/cacerts" \
07-22 15:09:45.059  1625  1794 V WifiNetworkSuggestionsManager: domain_suffix_match \
"radius.whatever.com" 07-22 15:09:45.059  1625  1794 V WifiNetworkSuggestionsManager: \
ca_cert NULL 07-22 15:09:45.059  1625  1794 V WifiNetworkSuggestionsManager: \
eap_method: PEAP 07-22 15:09:45.059  1625  1794 V WifiNetworkSuggestionsManager: \
phase2_method: MSCHAPV2 07-22 15:09:45.059  1625  1794 V \
WifiNetworkSuggestionsManager:  ocsp: 0 07-22 15:09:45.059  1625  1794 V \
WifiNetworkSuggestionsManager:  trust_on_first_use: false 07-22 15:09:45.059  1625  \
1794 V WifiNetworkSuggestionsManager:  user_approve_no_ca_cert: false 07-22 \
15:09:45.059  1625  1794 V WifiNetworkSuggestionsManager:  selected_rcoi: 0 07-22 \
15:09:45.059  1625  1794 V WifiNetworkSuggestionsManager: IP config: 07-22 \
15:09:45.059  1625  1794 V WifiNetworkSuggestionsManager: IP assignment: DHCP 07-22 \
15:09:45.059  1625  1794 V WifiNetworkSuggestionsManager: Proxy settings: NONE 07-22 \
15:09:45.059  1625  1794 V WifiNetworkSuggestionsManager:  cuid=1000 \
cname=android.uid.system:1000 luid=1000 lname=android.uid.system:1000 lcuid=1000 \
allowAutojoin=true noInternetAccessExpected=false mostRecentlyConnected=false  07-22 \
15:09:45.059  1625  1794 V WifiNetworkSuggestionsManager: lastConnected: 07-22 \
15:08:45.489 



07-22 15:08:39.738 10133 10133 D wpa_supplicant: SSL: SSL_connect:TLS client \
verify_server_certificate 07-22 15:08:39.753 10133 10133 D wpa_supplicant: OpenSSL: \
Peer certificate - depth 2 07-22 15:08:39.753 10133 10133 D wpa_supplicant: \
Certificate: 07-22 15:08:39.753 10133 10133 D wpa_supplicant:     Data:
07-22 15:08:39.753 10133 10133 D wpa_supplicant:         Version: 3 (0x2)
07-22 15:08:39.753 10133 10133 D wpa_supplicant:         Serial Number:
07-22 15:08:39.753 10133 10133 D wpa_supplicant:             \
03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5 07-22 15:08:39.753 10133 10133 D \
wpa_supplicant:     Signature Algorithm: sha256WithRSAEncryption 07-22 15:08:39.753 \
10133 10133 D wpa_supplicant:         Issuer: C=US, O=DigiCert Inc, \
OU=www.digicert.com, CN=DigiCert Global Root G2 07-22 15:08:39.753 10133 10133 D \
wpa_supplicant:         Validity 07-22 15:08:39.753 10133 10133 D wpa_supplicant:     \
Not Before: Aug  1 12:00:00 2013 GMT 07-22 15:08:39.753 10133 10133 D wpa_supplicant: \
Not After : Jan 15 12:00:00 2038 GMT 07-22 15:08:39.753 10133 10133 D wpa_supplicant: \
Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2 07-22 \
15:08:39.753 10133 10133 D wpa_supplicant:         Subject Public Key Info: 07-22 \
15:08:39.753 10133 10133 D wpa_supplicant:             Public Key Algorithm: \
rsaEncryption 07-22 15:08:39.753 10133 10133 D wpa_supplicant:                 \
Public-Key: (2048 bit) 07-22 15:08:39.753 10133 10133 D wpa_supplicant:               \
Modulus: 07-22 15:08:39.753 10133 10133 D wpa_supplicant:                     \
00:bb:37:cd:34:dc:7b:6b:c9:b2:68:90:ad:4a:75: 07-22 15:08:39.753 10133 10133 D \
wpa_supplicant:                     ff:46:ba:21:0a:08:8d:f5:19:54:c9:fb:88:db:f3: \
07-22 15:08:39.753 10133 10133 D wpa_supplicant:                     \
ae:f2:3a:89:91:3c:7a:e6:ab:06:1a:6b:cf:ac:2d: 07-22 15:08:39.753 10133 10133 D \
wpa_supplicant:                     e8:5e:09:24:44:ba:62:9a:7e:d6:a3:a8:7e:e0:54: \
07-22 15:08:39.753 10133 10133 D wpa_supplicant:                     \
75:20:05:ac:50:b7:9c:63:1a:6c:30:dc:da:1f:19: 07-22 15:08:39.753 10133 10133 D \
wpa_supplicant:                     b1:d7:1e:de:fd:d7:e0:cb: 07-22 15:08:39.754 10133 \
10133 I wpa_supplicant: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=2 \
subject='/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2' \
hash=cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f 07-22 \
15:08:39.755 10133 10133 D wpa_supplicant: TLS: tls_verify_cb - preverify_ok=1 err=0 \
(ok) ca_cert_verify=1 depth=2 buf='/C=US/O=DigiCert \
Inc/OU=www.digicert.com/CN=DigiCert Global Root G2'


...


07-22 15:08:39.766 10133 10133 D wpa_supplicant: OpenSSL: Certificate Policy \
2.23.140.1.2.2 07-22 15:08:39.766 10133 10133 I wpa_supplicant: wlan0: \
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=<...>.com' hash=4 07-22 15:08:39.769 \
10133 10133 I wpa_supplicant: wlan0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:<...>.com \
07-22 15:08:39.769 10133 10133 D wpa_supplicant: TLS: tls_verify_cb - preverify_ok=1 \
err=0 (ok) ca_cert_verify=1 depth=0 buf='<...>.com' 07-22 15:08:39.769 10133 10133 D \
wpa_supplicant: TLS: Match domain against suffix <...>.com 07-22 15:08:39.769 10133 \
10133 D wpa_supplicant: TLS: Certificate dNSName - hexdump(len=24): <....> 07-22 \
15:08:39.769 10133 10133 D wpa_supplicant: TLS: Suffix match in dNSName found 07-22 \
15:08:39.769 10133 10133 D wpa_supplicant: EAP: Status notification: remote \
                certificate verification (param=success)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic