OPNsense Forum
Archive => 21.7 Legacy Series => Topic started by: zeitlins on January 14, 2022, 03:01:45 pm
-
Hi
I wan´t to change my 8021x from PEAP-MS-CHAP v2 to EAP-TLS but seem to be stuck when not using a signed CA...
Currently freeradius gives the Error
2022-01-14T12:26:13 Auth: (85) Login incorrect (eap_tls: (TLS) Alert read:fatal:unknown CA): [mobile_device/<via Auth-Type = eap>] (from client AP1 port 1 cli XX-XX-FB-0C-07-E4)
2022-01-14T12:26:13 ERROR: (85) eap_tls: ERROR: (TLS) Alert read:fatal:unknown CA
what i´ve read by now is that it´s not posible to trust a self signed ca in android 11 and up ....
Any Ideas?
Happy to Test suggestions
-
Hi,
what do you mean with "signed CA". I assume you are talking about a self-signed certificate.
Unknown CA sounds for me that the RootCA certificate (is per design self signed) is not imported to the CA store of the device.
Usually the chain is: RootCA->IssuingCA->EndUser certificate
If you are using a self signed certificate, it will not be accepted by the Radius server.
br
-
i use a self signed cert ... created on the opnsense firewall
radius-ca (my root CA)
radius-intermediate-ca (intermediate-ca) used to sign Server Cert & User Cert
radius-server
user
It looks like Android is only Accepting Certs which are in the System Root-CA therefore Trusted Root-CA´s
I would like to Implement my own CA without any MDM as this is my home network
-
i use a self signed cert ... created on the opnsense firewall
radius-ca (my root CA)
radius-intermediate-ca (intermediate-ca) used to sign Server Cert & User Cert
radius-server
user
It looks like Android is only Accepting Certs which are in the System Root-CA therefore Trusted Root-CA´s
I would like to Implement my own CA without any MDM as this is my home network
That's only possible if you persuade the phone to have your root CA in it's trusted root store. Otherwise your CA must be in, which means you've need a cert signed by one of them.
-
i use a self signed cert ... created on the opnsense firewall
radius-ca (my root CA)
radius-intermediate-ca (intermediate-ca) used to sign Server Cert & User Cert
radius-server
user
It looks like Android is only Accepting Certs which are in the System Root-CA therefore Trusted Root-CA´s
I would like to Implement my own CA without any MDM as this is my home network
It will only work if your Clients Trust that certificate.
1. Option: Import the CA to your Clients certificate store
2. Option: Use something like a ZeroSSL certificate for that
-
i use a self signed cert ... created on the opnsense firewall
radius-ca (my root CA)
radius-intermediate-ca (intermediate-ca) used to sign Server Cert & User Cert
radius-server
user
It looks like Android is only Accepting Certs which are in the System Root-CA therefore Trusted Root-CA´s
I would like to Implement my own CA without any MDM as this is my home network
That's only possible if you persuade the phone to have your root CA in it's trusted root store. Otherwise your CA must be in, which means you've need a cert signed by one of them.
I think there is the Problem as a user i cann´t add it to the trusted root store....
But thanks for confirming, its bad for BYOD