freeradius / eap-tls / Android 13

mcury · May 26, 2023, 3:14 PM

@johnpoz said in freeradius / eap-tls / Android 13:

@mcury the way I read what you linked seems too says to lower it ;) hehe
"The simplest thing to try is to see eap.conf, and change fragment_size
to something smaller.

Indeed, but that pointed me to the right direction, from there I decided to perform a packet capture.
Once I set it to 1344, it worked, no more fragmentation.

I suppose it was here that I got the suggestion for this value from:
https://community.ui.com/questions/Issue-with-WPA2-Enterprise-Across-sites/7070e262-c2c6-403b-a61d-a98ad3b3db53

johnpoz · May 26, 2023, 3:23 PM

@mcury that seems to be talking about

"Framed-MTU and set it to 1344 and issue was resolved."

That is different than the fragment size.. Pretty sure that framed -mtu is calculated, I see different values when in debug mode

(3) Framed-MTU = 1400

Different one

(5) User-Name = "tablet.home.arpa"
(5) Framed-MTU += 994

Could you post your full output when you run in debug mode @furom attach as a .txt file.

furom · May 26, 2023, 3:24 PM

Could this be of relevance?

No EAP Start, assuming it's an on-going EAP conversation

Just prior to that it tries to match an email (containing a "@") and fails. So perhaps a username must be an email? Worth a try I suppose

johnpoz · May 26, 2023, 3:26 PM

@furom said in freeradius / eap-tls / Android 13:

So perhaps a username must be an email? Worth a try I suppose

I see the same notices.. And not having any issue..

(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(4)   authorize {
(4)     [preprocess] = ok
(4)     [chap] = noop
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "tablet.home.arpa", skipping NULL due to config.
(4)     [suffix] = noop
(4) ntdomain: Checking for prefix before "\"
(4) ntdomain: No '\' in User-Name = "tablet.home.arpa", skipping NULL due to config.
(4)     [ntdomain] = noop
(4) eap: Peer sent EAP Response (code 2) ID 192 length 82
(4) eap: No EAP Start, assuming it's an on-going EAP conversation
(4)     [eap] = updated
(4) files: users: Matched entry tablet.home.arpa at line 17
(4)     [files] = ok

mcury · May 26, 2023, 3:27 PM

@johnpoz said in freeradius / eap-tls / Android 13:

(3) Framed-MTU = 1400

This value is set in eap.conf, inside: tls-config tls-common {
# fragment_size = 1024
fragment_size = 1344

johnpoz · May 26, 2023, 3:32 PM

@mcury Your 2nd link talked about editing the framed-mtu, not the fragment size.. But I believe the framed mtu is normally calculated I thought, I sure don't have a framed-mtu in my eap file, and its seems to be calculating the different framed mtu size based on what size its seeing.

I don't really think its related to that - but something with his android version, seems their are a lot of discussion about android 11 or above and wpa enterprise.. What I have seen seems to be should have a problem in 12 as well. But I think some of these things are handled by the maker changes to their release for their devices.

I am using a lenovo with 12, and @furom is using a samsung with 13.. etc..

What versions of android are you using @mcury and your using eap-tls?

furom · May 26, 2023, 3:49 PM

@johnpoz said in freeradius / eap-tls / Android 13:

Could you post your full output when you run in debug mode @furom attach as a .txt file.

Sure, just trying to figure what to mask...

Edit:
This is the output from the run; out.txt

mcury · May 26, 2023, 3:37 PM

@johnpoz said in freeradius / eap-tls / Android 13:

What versions of android are you using @mcury and your using eap-tls?

Tested with Android 11, 12, Macbook air M1, Iphone 11 pro (I'm almost sure it is an iphone 11) and Windows 10 and 11 22H1.

Yes, using EAP-TLS (lets encrypt certificate), I just renew it within a 90 day period and upload it to freeradius server.

Let me enable the server here in my lab so I can post the debug for you.

johnpoz · May 26, 2023, 4:17 PM

@mcury Yeah not having any issues with iphone (13), ipad (air 5th gen) both running ios 16.5, windows 10 pro 22H2, acer chromebook running whatever latest os is as of day or two ago, and android lenovo p11+ tablet running 12.

Not sure what the issue is with his.. He got his android 7 working with wpa2 enterprise..

@furom did you get your windows test box working? Did you say you found an issue on your switch? So I assume you got your linux and windows and old tablet all working with wpa2-ent

I don't use amce for my certs for eap-tls, all certs via cert manger in pfsense (23.01) using ECDSA with prime256v1 for both the CA and the server and client certs.

Running unifi controller 7.4.156 and uap-ac-pro, lite and lr AP all on 6.5.54 firmware.

edit: here is output of rad -X and my tablet connecting.

debug.txt

Looks like this time it authed connecting to my LR - so have seen valid connections on all 3 of my different APs.

furom · May 26, 2023, 4:19 PM

@johnpoz said in freeradius / eap-tls / Android 13:

@mcury Yeah not having any issues with iphone (13), ipad (air 5th gen) both running ios 16.5, windows 10 pro 22H2, acer chromebook running whatever latest os is, and android lenovo p11+ tablet running 12.

Not sure what the issue is with his.. He got his android 7 working with wpa2 enterprise..

@furom did you get your windows test box working? Did you say you found an issue on your switch? So I assume you got your linux and windows and old tablet all working with wpa2-ent

I gave up on the windows client. Issue I had with the Netgate switch was not assigning the correct lan, so when corrected old tablet started working (issue then was it did not get an IP), which is the only client so far

johnpoz · May 26, 2023, 4:21 PM

@furom well maybe you want to try the amce certs, there shouldn't be anyway the tablet doesn't trust those.. Not exactly sure how you get a client cert, would assume just need to be able to validate your fqdn via dns would get you the client cert, just like your server cert, etc.

furom · May 26, 2023, 4:41 PM

@johnpoz said in freeradius / eap-tls / Android 13:

@furom well maybe you want to try the amce certs, there shouldn't be anyway the tablet doesn't trust those.. Not exactly sure how you get a client cert, would assume just need to be able to validate your fqdn via dns would get you the client cert, just like your server cert, etc.

I have though of it before, but that would require a domain and public DNS, which I don't have.
I really do appreciate you guys trying to find some sense in this. There is a beta of Android 14, not sure if I could load that on my tablet, but could be something. Hopefully this would be fixed in 14, but will hold my breath just a little while longer... :)

But as said earlier, 13 is a lot pickier with trusting the CA's. So I would not be surprised if 'let's encrypt' would work right away, as it is trusted by browsers by default

mcury · May 26, 2023, 7:44 PM

I took so long due because this VM wasn't powered on in six months..
My administrator account password expired, users account passwords expired, certificates expired...
More than 160 packages to update in Ubuntu..
Then I got my user stuck in SQL database since simultaneous use is set to one.
What a mess to get this lab working again..

With EAP details, ldap and SQL working.. (Android 12 Galaxy S10 connecting to a nandoHD).
full_test.txt

furom · May 27, 2023, 6:36 AM

So found some info last night that said the only way to make Android >11/12 accept a self-signed CA is now to use an MDM (Mobile Device Manager) or a secure app such as Knox to handle the certs.

Edit: Well... put it this way... It was yet another rabbit-hole... A pure nightmare for an average person like myself. Why would I want a full scale mobile deployment environment just to use decent security using certificates - for ONE lousy tablet?? :(

I even tried to get a secure folder working, it would possibly make it work too, but that is not available any longer... bummer...

furom · May 27, 2023, 7:47 AM

@furom but isn't this line a bit interersting...

Sat May 27 09:36:29 2023 : ERROR: (4) eap_tls: (TLS) Failed reading from OpenSSL: /var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/record/rec_layer_s3.c[1621]:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

It is clearly a path from building pfSense 23.01, or looks that way at least... Perhaps if I try using same certs but with a separate radius server... after all this it could not cause more grief (hopefully)

johnpoz · May 27, 2023, 8:42 AM

@furom said in freeradius / eap-tls / Android 13:

Perhaps if I try using same certs but with a separate radius server.

Why would that work? Its the client that has to trust the CA.

furom · May 27, 2023, 8:48 AM

@johnpoz said in freeradius / eap-tls / Android 13:

@furom said in freeradius / eap-tls / Android 13:

Perhaps if I try using same certs but with a separate radius server.

Why would that work? Its the client that has to trust the CA.

I know that. :) But thus far a lot less errors at least. :)

johnpoz · May 27, 2023, 9:02 AM

@furom what about this

https://aboutssl.org/how-to-create-and-import-self-signed-certificate-to-android-device/

Doesn't say what version of android, but it has it adding an option to the CA via openssl

openssl x509 -req -days 3650 -in CA.pem -signkey priv_and_pub.key -extfile ./android_options.txt -out CA.crt

Or I would assume the acme way would work - this isn't a self signed CA, etc. So for like the 10 you could get a domain you could use.. Or you can always get cheap domain like .xyz for like the first year for like 99 cents ;)

edit: guess I am lucky my tablet is only running 12, which accepts my CA.

edit2: also came across this

Android will not allow a Certificate Authority to be installed from certain locations. The SSL cert must be stored in local storage, but not in the "Downloads" folder and not in Google Drive. Even though this is permitted for user certificates, CA certificates won't work unless moved to a local folder that is not the downloads folder.

Where exactly are you putting the CA cert when you try to install it?

furom · May 27, 2023, 9:04 AM

@johnpoz said in freeradius / eap-tls / Android 13:

@furom what about this

https://aboutssl.org/how-to-create-and-import-self-signed-certificate-to-android-device/

Doesn't say what version of android, but it has it adding an option to the CA via openssl

openssl x509 -req -days 3650 -in CA.pem -signkey priv_and_pub.key -extfile ./android_options.txt -out CA.crt

Or I would assume the acme way would work - this isn't a self signed CA, etc. So for like the 10 you could get a domain you could use.. Or you can always get cheap domain like .xyz for like the first year for like 99 cents ;)

edit: guess I am lucky my tablet is only running 12, which accepts my CA.

edit2: also came across this

Android will not allow a Certificate Authority to be installed from certain locations. The SSL cert must be stored in local storage, but not in the "Downloads" folder and not in Google Drive. Even though this is permitted for user certificates, CA certificates won't work unless moved to a local folder that is not the downloads folder.

Where exactly are you putting the CA cert when you try to install it?

In the Downloads folder... Was too lazy to create another one. I figured when installed it gets copied anyways, but is perhaps just linked... worth a try! :)

furom · May 27, 2023, 9:05 AM

@furom This is where I'm at now;

(3) eap_tls: (TLS) EAP Done initial handshake
(3) eap_tls: (TLS) recv TLS 1.2 Alert, fatal unsupported_certificate
(3) eap_tls: (TLS) The client is informing us that it does not understand the certificate presented by the server.
(3) eap_tls: ERROR: (TLS) Alert read:fatal:unsupported certificate
(3) eap_tls: (TLS) Server : Need to read more data: error
(3) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000413:SSL routines::sslv3 alert unsupported certificate
(3) eap_tls: (TLS) In Handshake Phase
(3) eap_tls: (TLS) Application data.
(3) eap_tls: ERROR: (TLS) Cannot continue, as the peer is misbehaving.
(3) eap_tls: ERROR: [eaptls process] = fail
(3) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed
(3) eap: Sending EAP Failure (code 4) ID 25 length 4

I tried with a .crt cert when it needs .pem, so will convert and try again