Messages

i use a self signed cert ... created on the opnsense firewall

radius-ca  (my root CA)
radius-intermediate-ca (intermediate-ca) used to sign Server Cert & User Cert
radius-server
user

It looks like Android is only Accepting Certs which are in the System Root-CA therefore Trusted Root-CA´s

I would like to Implement my own CA without any MDM as this is my home network

That's only possible if you persuade the phone to have your root CA in it's trusted root store. Otherwise your CA must be in, which means you've need a cert signed by one of them.

I think there is the Problem as a user i cann´t add it to the trusted root store....
But thanks for confirming, its bad for BYOD

i use a self signed cert ... created on the opnsense firewall

radius-ca  (my root CA)
radius-intermediate-ca (intermediate-ca) used to sign Server Cert & User Cert
radius-server
user

It looks like Android is only Accepting Certs which are in the System Root-CA therefore Trusted Root-CA´s

I would like to Implement my own CA without any MDM as this is my home network

Hi

I wan´t to change my 8021x from PEAP-MS-CHAP v2 to EAP-TLS but seem to be stuck when not using a signed CA...

Currently freeradius gives the Error

2022-01-14T12:26:13       Auth: (85) Login incorrect (eap_tls: (TLS) Alert read:fatal:unknown CA): [mobile_device/<via Auth-Type = eap>] (from client AP1 port 1 cli XX-XX-FB-0C-07-E4)   
2022-01-14T12:26:13       ERROR: (85) eap_tls: ERROR: (TLS) Alert read:fatal:unknown CA

what i´ve read by now is that it´s not posible to trust a self signed ca in android 11 and up ....

Any Ideas?

Happy to Test suggestions

also switched to openssl - and the Updated Version Works...
I´ll stick with openssl for now... i´m happy to test on the next update to switch ssl versions again ;-)

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 21.1.7_1 (amd64/LibreSSL) at Tue Jun 22 15:44:59 CEST 2021
>>> Check installed kernel version
Version 21.1.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.1.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 67 dependencies to check.
Checking packages: ..................................................................... done
***DONE***

Output of Health Audit... Seams to be ok

I have not enabled LDAP in my freeradius configuration but i see the same issue if i upgrade freeradius again...

Might be worth notifying the plugin maintainer.

For a quick fix:

# opnsense-revert -r 21.1.6 freeradius3


Cheers,
Franco

Same here also get the pap[13] error, happens on start or restart of the Service the workaraound is working for now.

Thanks