meta data for this page
  •  

This is an old revision of the document!

WiFi WPA Enterprise

Android 11+ Devices

NOTE: DRAFT!

Freeradius log: 

eap_peap: TLS Alert read:fatal:unknown CA

Reason: The CA (Certification Authority) is not recognized by the client.

Cerficate used by Freeradius:

/etc/freeradius/3.0/mods-enabled/eap
    private_key_file = /etc/ssl/private/radius.int.example.com.key
    certificate_file = /etc/ssl/certs/radius.int.example.com.crt

Background:

Hints:

Workaround for Android based phone:

  • Download own CA from URL. Do not install it.
  • Open Settings –> Security –> Encryption & Credentials –> Install a Certificate –> Wi-Fi Certificate
  • Try to connect to WPA Enterprise network
    • EAP Method: PEAP
    • Phase 2 authentication: MSCHAPV2
    • CA certificate: Install. After installation choose just installed certificate
    • Online certificate status: Do not verify

TODO

Android:

  • “Domain” = CN from radius cert (=radius host name?)
  • Possible to add alternate names to cert to use short domain

https://learn.microsoft.com/pl-pl/mem/intune/configuration/wi-fi-settings-android-enterprise

https://extremeportal.force.com/ExtrArticleDetail?an=000092023 

The RADIUS certificate used by the 802.1X wireless controller or access point must use either:

    A certificate signed by a trusted public Root certificate authority and configured to supply clients with the full certificate chain (root ->  intermediate(s) -> server), OR
    In the case of self-signed or private CA, pre-load the root and any intermediate certificates on the device's trust store prior to connection.

Add both certs to client ? how to add intermediate ca ?

FreeRadius with mixed CAs

/etc/freeradius/3.0/mods-enabled/eap

Use ca_path or ca_file not both. Using ca_path requires run c_rehash on pointed dir to created hashes do certs. 

tls-config tls-common {
  private_key_password =
  private_key_file = ${certdir}/radius.int.example.com.key
 
  certificate_file = ${certdir}/radius.int.example.com.crt
  ca_path = ${cadir}
 
  auto_chain = yes
}
tls-config tls-common {
  private_key_password =
  private_key_file = ${certdir}/radius.int.example.com.key
 
  certificate_file = ${certdir}/radius-chain.crt
  auto_chain = no
}

apt-get install eapoltest

Consider one selfsigned CA: https://networkradius.com/doc/3.0.10/raddb/home.html