EAP-TLS Failing with Android...

abuttino · Sep 26, 2023, 6:59 PM

... any idea what I am doing wrong?

authorize {
(9)     [preprocess] = ok
(9)     [chap] = noop
(9)     [mschap] = noop
(9)     [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "TonyB", skipping NULL due to config.
(9)     [suffix] = noop
(9) ntdomain: Checking for prefix before "\"
(9) ntdomain: No '\' in User-Name = "TonyB", skipping NULL due to config.
(9)     [ntdomain] = noop
(9) eap: Peer sent EAP Response (code 2) ID 212 length 6
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9)     [eap] = updated
(9) files: users: Matched entry TonyB at line 2
(9)     [files] = ok
(9)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
(9)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  -> FALSE
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(9)     [daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(9)     [weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(9)     [monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(9)     [forever] = noop
(9)     if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
(9)     ERROR: Failed retrieving values required to evaluate condition
(9)     [expiration] = noop
(9)     [logintime] = noop
(9) pap: WARNING: Auth-Type already set.  Not setting to PAP
(9)     [pap] = noop
(9)   } # authorize = updated
(9) Found Auth-Type = eap
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(9)   authenticate {
(9) eap: Expiring EAP session with state 0xab3e0203a3ea0f6c
(9) eap: Finished EAP session with state 0xab3e0203a3ea0f6c
(9) eap: Previous EAP request found for state 0xab3e0203a3ea0f6c, released from the list
(9) eap: Peer sent packet with method EAP TLS (13)
(9) eap: Calling submodule eap_tls to process data
(9) eap_tls: (TLS) Peer ACKed our handshake fragment
(9) eap: Sending EAP Request (code 1) ID 213 length 123
(9) eap: EAP session adding &reply:State = 0xab3e0203a2eb0f6c
(9)     [eap] = handled
(9)   } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(9)   Challenge { ... } # empty sub-section is ignored
(9) session-state: Saving cached attributes
(9)   Framed-MTU = 470
(9)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(9)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(9)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(9)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(9)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(9)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(9) Sent Access-Challenge Id 174 from 172.16.2.1:1812 to 172.16.2.20:35483 length 181
(9)   EAP-Message = 0x01d5007b0d8000000f21080708080809080a080b080408050806040105010601030302030301020103020202040205020602003e003c303a311830160603550403130f747a702d696e7465726e616c2d63613110300e060355040813074172697a6f6e61310c300a0603550407130350687816030300040e000000
(9)   Message-Authenticator = 0x00000000000000000000000000000000
(9)   State = 0xab3e0203a2eb0f6c65e17f4c80472a03
(9) Finished request
Waking up in 4.8 seconds.
(10) Received Access-Request Id 175 from 172.16.2.20:35483 to 172.16.2.1:1812 length 250
(10)   User-Name = "TonyB"
(10)   NAS-IP-Address = 172.16.2.20
(10)   NAS-Identifier = "76acb935cd20"
(10)   Called-Station-Id = "76-AC-B9-35-CD-20:TZP-Corporate-West"
(10)   NAS-Port-Type = Wireless-802.11
(10)   Service-Type = Framed-User
(10)   Calling-Station-Id = "0C-C4-13-49-B2-4E"
(10)   Connect-Info = "CONNECT 0Mbps 802.11a"
(10)   Acct-Session-Id = "C862C52193C78C28"
(10)   Acct-Multi-Session-Id = "38DA6CC1B7453DF6"
(10)   WLAN-Pairwise-Cipher = 1027076
(10)   WLAN-Group-Cipher = 1027076
(10)   WLAN-AKM-Suite = 1027073
(10)   Framed-MTU = 1400
(10)   EAP-Message = 0x02d5000d0d0015030300020250
(10)   State = 0xab3e0203a2eb0f6c65e17f4c80472a03
(10)   Message-Authenticator = 0xa6efda912b10c76a0d9c3c694e2ca715
(10) Restoring &session-state
(10)   &session-state:Framed-MTU = 470
(10)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(10)   authorize {
(10)     [preprocess] = ok
(10)     [chap] = noop
(10)     [mschap] = noop
(10)     [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "TonyB", skipping NULL due to config.
(10)     [suffix] = noop
(10) ntdomain: Checking for prefix before "\"
(10) ntdomain: No '\' in User-Name = "TonyB", skipping NULL due to config.
(10)     [ntdomain] = noop
(10) eap: Peer sent EAP Response (code 2) ID 213 length 13
(10) eap: No EAP Start, assuming it's an on-going EAP conversation
(10)     [eap] = updated
(10) files: users: Matched entry TonyB at line 2
(10)     [files] = ok
(10)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
(10)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  -> FALSE
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(10)     [daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(10)     [weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(10)     [monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(10)     [forever] = noop
(10)     if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
(10)     ERROR: Failed retrieving values required to evaluate condition
(10)     [expiration] = noop
(10)     [logintime] = noop
(10) pap: WARNING: Auth-Type already set.  Not setting to PAP
(10)     [pap] = noop
(10)   } # authorize = updated
(10) Found Auth-Type = eap
(10) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(10)   authenticate {
(10) eap: Expiring EAP session with state 0xab3e0203a2eb0f6c
(10) eap: Finished EAP session with state 0xab3e0203a2eb0f6c
(10) eap: Previous EAP request found for state 0xab3e0203a2eb0f6c, released from the list
(10) eap: Peer sent packet with method EAP TLS (13)
(10) eap: Calling submodule eap_tls to process data
(10) eap_tls: (TLS) EAP Done initial handshake
(10) eap_tls: (TLS) recv TLS 1.2 Alert, fatal internal_error
(10) eap_tls: (TLS) The client is informing us that there is a failure inside the TLS protocol exchange.
(10) eap_tls: ERROR: (TLS) Alert read:fatal:internal error
(10) eap_tls: (TLS) Server : Need to read more data: error
(10) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
(10) eap_tls: (TLS) In Handshake Phase
(10) eap_tls: (TLS) Application data.
(10) eap_tls: ERROR: (TLS) Cannot continue, as the peer is misbehaving.
(10) eap_tls: ERROR: [eaptls process] = fail
(10) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed
(10) eap: Sending EAP Failure (code 4) ID 213 length 4
(10) eap: Failed in EAP select
(10)     [eap] = invalid
(10)   } # authenticate = invalid
(10) Failed to authenticate the user
(10) Using Post-Auth-Type Reject
(10) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(10)   Post-Auth-Type REJECT {
(10) attr_filter.access_reject: EXPAND %{User-Name}
(10) attr_filter.access_reject:    --> TonyB
(10) attr_filter.access_reject: Matched entry DEFAULT at line 11
(10)     [attr_filter.access_reject] = updated
(10)     [eap] = noop
(10)     policy remove_reply_message_if_eap {
(10)       if (&reply:EAP-Message && &reply:Reply-Message) {
(10)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(10)       else {
(10)         [noop] = noop
(10)       } # else = noop
(10)     } # policy remove_reply_message_if_eap = noop
(10)   } # Post-Auth-Type REJECT = updated
(10) Login incorrect (Failed retrieving values required to evaluate condition): [TonyB/<via Auth-Type = eap>] (from client AC port 0 cli 0C-C4-13-49-B2-4E)
(10) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(10) Sending delayed response
(10) Sent Access-Reject Id 175 from 172.16.2.1:1812 to 172.16.2.20:35483 length 44
(10)   EAP-Message = 0x04d50004
(10)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.

I have more logs but it appears to start over and this is the last attempt. Didn't want to inundate anyone with too much data.

This is really frustrating because I already have an NPS server and that doesn't seem to work either.

Hardware: Unifi 8 port switch, Nano, Beacon, Mesh running all directly to pfSense.

Pixel 7 Pro configuration:
EAP type - TLS
My CA in Wi-Fi Certificates
Domain name CN from CA
User Certificate for TonyB
Identity: TonyB

I've tried all kinds of MSCHAP but they don't work either.
Please help!

jimp · Sep 26, 2023, 7:35 PM

Are you using the native Android client or the strongSwan app? You might try the strongSwan app to see if it works for you.

The usual mistake with EAP-TLS is not matching the identifiers properly. The identifiers must match the strings in the certificate exactly.

abuttino · Sep 26, 2023, 7:47 PM

@jimp

Test User Cert:

Serial: 3397022198765462591
Signature Digest: RSA-SHA256
SAN: DNS:TonyB
KU: Digital Signature, Non Repudiation, Key Encipherment
EKU: TLS Web Client Authentication
Key Type: RSA
Key Size: 4096
DN: /CN=TonyB/ST=Arizona/L=Phx
Hash: 79de10a3
Subject Key ID: A4:63:86:0C:07:00:48:09:52:ED:A6:31:CB:94:7D:CF:2E:AD:8A:B1
Authority Key ID: keyid:C9:D9:47:CC:9F:81:EF:33:6F:C6:E1:8C:E2:48:2E:C0:CE:A9:09:06
DirName:/CN=tzp-internal-ca/ST=Arizona/L=Phx
serial:77:9F:05:A1:E2:11:E8:E4

What is the identifier if it's not TonyB?

This is a WPA-2 Enterprise setup, not a VPN.

jimp · Sep 26, 2023, 7:50 PM

OK, you didn't mention it was WPA2-enterprise before, and usually EAP-TLS is IPsec around here.

I haven't used EAP-TLS with WPA2 myself so I'm not sure what it may want there. Some things take the CN for an identifier, others want the whole subject, but it may be something else entirely since I was thinking IPsec with my previous response.

abuttino · Sep 26, 2023, 7:56 PM

@jimp

I also put DEFAULT Auth-Type := Accept in there (on my u/n) and it just hangs and eventually gives up.

There are obviously a few issues.

johnpoz · Sep 26, 2023, 8:22 PM

@abuttino there was a really long thread a while back about - android seems to be very problematic with trusting CAs

https://forum.netgate.com/topic/180369/freeradius-eap-tls-android-13

Only android I had to work with was a lenovo tablet.. Using an older version of android.

I use eap-tls with chromebook and ios phones and tablets and my windows pc without any issues.