meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
network:wifi:wpae [2023/06/21 13:37] niziaknetwork:wifi:wpae [2023/10/23 11:14] (current) niziak
Line 1: Line 1:
 ====== WiFi WPA Enterprise ====== ====== WiFi WPA Enterprise ======
 +
 +===== Win 11 =====
 +
 +Windows 11 22H2 not connecting to WPA Enterprise
 +
 +  - Open Registry Editor
 +  - Navigate to ''HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13''
 +  - Create ''DWORD'' key ''TlsVersion'' value ''FC0''
 +
 +''TlsVersion'' coding (values cane be OR-ed):
 +  - 0000 1100 0000 = 0x0C0 TLS1.0
 +  - 0011 0000 0000 = 0x300 TLS1.1
 +  - 1100 0000 0000 = 0xC00 TLS1.2
  
 ===== Android 11+ Devices ===== ===== Android 11+ Devices =====
Line 19: Line 32:
 Background: Background:
   * [[https://extremeportal.force.com/ExtrArticleDetail?an=000092023]]   * [[https://extremeportal.force.com/ExtrArticleDetail?an=000092023]]
 +  * [[https://wiki.freeradius.org/guide/certificate-compatibility|Certificate Compatibility]]
  
 Hints: Hints:
Line 38: Line 52:
 TODO TODO
  
 +
 +Android: 
 +  * "Domain" = CN from radius cert (=radius host name?)
 +  * Possible to add alternate names to cert to use short domain
 +[[https://learn.microsoft.com/pl-pl/mem/intune/configuration/wi-fi-settings-android-enterprise]]
 +
 +[[https://community.ui.com/questions/what-domain-for-android-when-setting-up-wpa2-enterprise-w-built-in-radius/4efa22a5-c909-465b-9755-a8507e34b08a#answer/3a14eb34-5ead-47ed-9472-910752c7ee50]]
 +
 +
 +
 +[[https://community.ui.com/questions/UDM-Radius-WPA-Enterprise-Android-11/10e1ef71-a0e5-4b83-885d-80deccbdef25]]
 +<code>
 +I don't disagree, but bottom line is that 11 will never connect without a trusted CA root (and all intermediates in the chain, if there are any, above the certificate your RADIUS server is presenting) physically installed to the phone. Just how it is. 
 +</code>
 +
 +Starting with Android 11 QPR1, you must enter the domain for server certification validation in order to successfully connect.
 +
 +
 +[[https://extremeportal.force.com/ExtrArticleDetail?an=000092023]]
 +<code>
 +The RADIUS certificate used by the 802.1X wireless controller or access point must use either:
 +
 +    A certificate signed by a trusted public Root certificate authority and configured to supply clients with the full certificate chain (root ->  intermediate(s) -> server), OR
 +    In the case of self-signed or private CA, pre-load the root and any intermediate certificates on the device's trust store prior to connection.
 +</code>
 Add both certs to client ? how to add intermediate ca ? Add both certs to client ? how to add intermediate ca ?
 +
 +New CA are added to ''User store'' only. There is no option without root right to move it to ''System store''
 +
 +
 +
 +[[https://serverfault.com/questions/1090456/freeradius-with-mixed-cas|FreeRadius with mixed CAs]]
  
 /etc/freeradius/3.0/mods-enabled/eap /etc/freeradius/3.0/mods-enabled/eap
Line 53: Line 98:
  
   auto_chain = yes   auto_chain = yes
 +}
 +</file>
 +
 +<file /etc/freeradius/3.0/mods-enabled/eap>
 +tls-config tls-common {
 +  private_key_password =
 +  private_key_file = ${certdir}/radius.int.example.com.key
 +
 +  certificate_file = ${certdir}/radius-chain.crt
 +  auto_chain = no
 } }
 </file> </file>
  
 apt-get install eapoltest apt-get install eapoltest
 +
 +
 +Consider one selfsigned CA: [[https://networkradius.com/doc/3.0.10/raddb/home.html]]
 +