Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    freeradius / eap-tls / Android 13

    Scheduled Pinned Locked Moved pfSense Packages
    61 Posts 4 Posters 7.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      furom @johnpoz
      last edited by furom

      @johnpoz said in freeradius / eap-tls / Android 13:

      @mcury Yeah not having any issues with iphone (13), ipad (air 5th gen) both running ios 16.5, windows 10 pro 22H2, acer chromebook running whatever latest os is, and android lenovo p11+ tablet running 12.

      Not sure what the issue is with his.. He got his android 7 working with wpa2 enterprise..

      @furom did you get your windows test box working? Did you say you found an issue on your switch? So I assume you got your linux and windows and old tablet all working with wpa2-ent

      I gave up on the windows client. Issue I had with the Netgate switch was not assigning the correct lan, so when corrected old tablet started working (issue then was it did not get an IP), which is the only client so far

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @furom
        last edited by

        @furom well maybe you want to try the amce certs, there shouldn't be anyway the tablet doesn't trust those.. Not exactly sure how you get a client cert, would assume just need to be able to validate your fqdn via dns would get you the client cert, just like your server cert, etc.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        F 1 Reply Last reply Reply Quote 0
        • F
          furom @johnpoz
          last edited by furom

          @johnpoz said in freeradius / eap-tls / Android 13:

          @furom well maybe you want to try the amce certs, there shouldn't be anyway the tablet doesn't trust those.. Not exactly sure how you get a client cert, would assume just need to be able to validate your fqdn via dns would get you the client cert, just like your server cert, etc.

          I have though of it before, but that would require a domain and public DNS, which I don't have.
          I really do appreciate you guys trying to find some sense in this. There is a beta of Android 14, not sure if I could load that on my tablet, but could be something. Hopefully this would be fixed in 14, but will hold my breath just a little while longer... :)

          But as said earlier, 13 is a lot pickier with trusting the CA's. So I would not be surprised if 'let's encrypt' would work right away, as it is trusted by browsers by default

          M 1 Reply Last reply Reply Quote 0
          • M
            mcury @furom
            last edited by mcury

            I took so long due because this VM wasn't powered on in six months..
            My administrator account password expired, users account passwords expired, certificates expired...
            More than 160 packages to update in Ubuntu..
            Then I got my user stuck in SQL database since simultaneous use is set to one.
            What a mess to get this lab working again..

            With EAP details, ldap and SQL working.. (Android 12 Galaxy S10 connecting to a nandoHD).
            full_test.txt

            dead on arrival, nowhere to be found.

            1 Reply Last reply Reply Quote 0
            • F
              furom
              last edited by furom

              So found some info last night that said the only way to make Android >11/12 accept a self-signed CA is now to use an MDM (Mobile Device Manager) or a secure app such as Knox to handle the certs.

              Edit: Well... put it this way... It was yet another rabbit-hole... A pure nightmare for an average person like myself. Why would I want a full scale mobile deployment environment just to use decent security using certificates - for ONE lousy tablet?? :(

              I even tried to get a secure folder working, it would possibly make it work too, but that is not available any longer... bummer...

              F 1 Reply Last reply Reply Quote 0
              • F
                furom @furom
                last edited by furom

                @furom but isn't this line a bit interersting...

                Sat May 27 09:36:29 2023 : ERROR: (4) eap_tls: (TLS) Failed reading from OpenSSL: /var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/record/rec_layer_s3.c[1621]:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
                

                It is clearly a path from building pfSense 23.01, or looks that way at least... Perhaps if I try using same certs but with a separate radius server... after all this it could not cause more grief (hopefully)

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @furom
                  last edited by

                  @furom said in freeradius / eap-tls / Android 13:

                  Perhaps if I try using same certs but with a separate radius server.

                  Why would that work? Its the client that has to trust the CA.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  F 1 Reply Last reply Reply Quote 0
                  • F
                    furom @johnpoz
                    last edited by

                    @johnpoz said in freeradius / eap-tls / Android 13:

                    @furom said in freeradius / eap-tls / Android 13:

                    Perhaps if I try using same certs but with a separate radius server.

                    Why would that work? Its the client that has to trust the CA.

                    I know that. :) But thus far a lot less errors at least. :)

                    johnpozJ F 2 Replies Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @furom
                      last edited by johnpoz

                      @furom what about this

                      https://aboutssl.org/how-to-create-and-import-self-signed-certificate-to-android-device/

                      Doesn't say what version of android, but it has it adding an option to the CA via openssl

                      openssl x509 -req -days 3650 -in CA.pem -signkey priv_and_pub.key -extfile ./android_options.txt -out CA.crt

                      Or I would assume the acme way would work - this isn't a self signed CA, etc. So for like the 10 you could get a domain you could use.. Or you can always get cheap domain like .xyz for like the first year for like 99 cents ;)

                      edit: guess I am lucky my tablet is only running 12, which accepts my CA.

                      edit2: also came across this

                      Android will not allow a Certificate Authority to be installed from certain locations. The SSL cert must be stored in local storage, but not in the "Downloads" folder and not in Google Drive. Even though this is permitted for user certificates, CA certificates won't work unless moved to a local folder that is not the downloads folder.

                      Where exactly are you putting the CA cert when you try to install it?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      F 1 Reply Last reply Reply Quote 1
                      • F
                        furom @johnpoz
                        last edited by

                        @johnpoz said in freeradius / eap-tls / Android 13:

                        @furom what about this

                        https://aboutssl.org/how-to-create-and-import-self-signed-certificate-to-android-device/

                        Doesn't say what version of android, but it has it adding an option to the CA via openssl

                        openssl x509 -req -days 3650 -in CA.pem -signkey priv_and_pub.key -extfile ./android_options.txt -out CA.crt

                        Or I would assume the acme way would work - this isn't a self signed CA, etc. So for like the 10 you could get a domain you could use.. Or you can always get cheap domain like .xyz for like the first year for like 99 cents ;)

                        edit: guess I am lucky my tablet is only running 12, which accepts my CA.

                        edit2: also came across this

                        Android will not allow a Certificate Authority to be installed from certain locations. The SSL cert must be stored in local storage, but not in the "Downloads" folder and not in Google Drive. Even though this is permitted for user certificates, CA certificates won't work unless moved to a local folder that is not the downloads folder.

                        Where exactly are you putting the CA cert when you try to install it?

                        In the Downloads folder... Was too lazy to create another one. I figured when installed it gets copied anyways, but is perhaps just linked... worth a try! :)

                        1 Reply Last reply Reply Quote 0
                        • F
                          furom @furom
                          last edited by

                          @furom This is where I'm at now;

                          (3) eap_tls: (TLS) EAP Done initial handshake
                          (3) eap_tls: (TLS) recv TLS 1.2 Alert, fatal unsupported_certificate
                          (3) eap_tls: (TLS) The client is informing us that it does not understand the certificate presented by the server.
                          (3) eap_tls: ERROR: (TLS) Alert read:fatal:unsupported certificate
                          (3) eap_tls: (TLS) Server : Need to read more data: error
                          (3) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000413:SSL routines::sslv3 alert unsupported certificate
                          (3) eap_tls: (TLS) In Handshake Phase
                          (3) eap_tls: (TLS) Application data.
                          (3) eap_tls: ERROR: (TLS) Cannot continue, as the peer is misbehaving.
                          (3) eap_tls: ERROR: [eaptls process] = fail
                          (3) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed
                          (3) eap: Sending EAP Failure (code 4) ID 25 length 4
                          
                          

                          I tried with a .crt cert when it needs .pem, so will convert and try again

                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator @furom
                            last edited by johnpoz

                            @furom a .crt file is a pem.. That error could mean it its not trusting the cert, because the CA that signed it isn't trusted.

                            When you look in the crt does its show in the first line when open with text editor?

                            -----BEGIN CERTIFICATE-----

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            F 1 Reply Last reply Reply Quote 1
                            • F
                              furom @johnpoz
                              last edited by furom

                              @johnpoz said in freeradius / eap-tls / Android 13:

                              @furom a .crt file is a pem.. That error could mean it its not trusting the cert, because the CA that signed it isn't trusted.

                              When you look in the crt does its show in the first line when open with text editor?

                              -----BEGIN CERTIFICATE-----

                              It does. Both CA & cert

                              also, just tried moving the certs on the tablet out of Downloads and reinstalled them, then trying against freeRad/pfSense same issue as before...

                              (4) eap_tls: (TLS) EAP Done initial handshake
                              (4) eap_tls: (TLS) recv TLS 1.2 Alert, fatal internal_error
                              (4) eap_tls: ERROR: (TLS) Alert read:fatal:internal error
                              (4) eap_tls: (TLS) Server : Need to read more data: error
                              (4) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
                              (4) eap_tls: (TLS) In Handshake Phase
                              (4) eap_tls: (TLS) Application data.
                              (4) eap_tls: ERROR: (TLS) Cannot continue, as the peer is misbehaving.
                              (4) eap_tls: ERROR: [eaptls process] = fail
                              (4) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed
                              
                              johnpozJ 1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator @furom
                                last edited by johnpoz

                                @furom you should see your CA as trusted in your user section..

                                trustedCA.jpg

                                Did you try it with the link I provided that has adding some sort of option to the CA cert.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                F 1 Reply Last reply Reply Quote 1
                                • F
                                  furom @johnpoz
                                  last edited by furom

                                  @johnpoz said in freeradius / eap-tls / Android 13:

                                  @furom you should see your CA as trusted in your user section..

                                  Well, it does not show up there... :( Under 'User certificates' both show though, but not whats matter here...

                                  Did you try it with the link I provided that has adding some sort of option to the CA cert.

                                  Not yet. much going on now, but will attend that now :)

                                  johnpozJ 1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator @furom
                                    last edited by johnpoz

                                    @furom on my tablet I don't have to do anything special with the cert, I mean a CA created in pfsense would already have the basic constraint of CA already set

                                    basic.jpg

                                    I am able to install just from the download folder - I emailed myself the CA.crt - then just installed it, and there it is listed.

                                    tabletCA.png

                                    edit: you can then see the tablet trusts this certs signed by this CA

                                    trustednas.jpg

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    F 1 Reply Last reply Reply Quote 0
                                    • F
                                      furom @johnpoz
                                      last edited by

                                      @johnpoz Well then, if basic constrains is already included... :/

                                      johnpozJ 1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator @furom
                                        last edited by johnpoz

                                        @furom but possible android 13 is looking for it elsewhere? Not really an android guy, but you should be able to check on your tablet if it trusts this CA, you should see it in your user section of trusted CAs - like the 2 I have installed.

                                        I have a few different CAs, one for home that I create certs for stuff like my nas, my printer, my pfsense gui, my switches gui's etc..

                                        I also have another one for openvpn, and then the one I created for freerad use.

                                        If you don't see it there - then yeah its highly unlikely that it would trust the cert your freerad server presents, etc.

                                        But its possible wifi stuff using its own settings? Like said not an android guy, notice it doesn't show my homeca as possible ca for my wireless?

                                        So for wireless you might have to install the CA under the wireless settings, but I would think if you have it installed and shown under your user for the system that using the use system certs should work.

                                        notshowing.png

                                        I tried using "system" in wifi and didn't work - I have to select the CA I installed using wifi

                                        freeradcert.jpg

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        F 1 Reply Last reply Reply Quote 0
                                        • F
                                          furom @johnpoz
                                          last edited by

                                          @johnpoz said in freeradius / eap-tls / Android 13:

                                          @furom but possible android 13 is looking for it elsewhere? Not really an android guy, but you should be able to check on your tablet if it trusts this CA, you should see it in your user section of trusted CAs - like the 2 I have installed.

                                          I have a few different CAs, one for home that I create certs for stuff like my nas, my printer, my pfsense gui, my switches gui's etc..

                                          I also have another one for openvpn, and then the one I created for freerad use.

                                          It is possible of course. It has never been this troublesome ever before, that is for sure...

                                          I will try the separate radserver once more. I just realized I did not install its server cert etc as also is needed...

                                          I'd rather not go the acme way, I don't want nor need the domain... Sad it must be a requirement, it is so close (and will probably just work) but still so far away... :)

                                          johnpozJ 1 Reply Last reply Reply Quote 0
                                          • johnpozJ
                                            johnpoz LAYER 8 Global Moderator @furom
                                            last edited by johnpoz

                                            @furom said in freeradius / eap-tls / Android 13:

                                            I will try the separate radserver once more

                                            This has nothing to do with it.. Your device needs to trust the CA that you sign the freerad server cert you are using in the freerad setup.

                                            And the freerad server needs to trust the client cert the client presents.. Be that freerad running on pfsense or not would have have nothing to do with your client trusting the CA, or presenting the correct cert that the freerad server will accept.

                                            If you can not get the CA installed on your tablet, or be able to set not to validate it - its not going to work. I believe later versions of android removed that option, which people are complaining about since they are having a hard time getting the CA actually installed as well..

                                            I am not having this issue, as you can see I can install CAs under the wifi setting.. But if you miss a step your going to have a bad day.. Your freerad server should have the same CA, and a server cert you created. Your client needs to trust the CA and present a cert also signed by the CA.

                                            Make sure you have fqdn set for the CN..

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                                            F 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.