Archive > 21.7 Legacy Series
8021x WLAN Android 11
zeitlins:
Hi
I wan´t to change my 8021x from PEAP-MS-CHAP v2 to EAP-TLS but seem to be stuck when not using a signed CA...
Currently freeradius gives the Error
2022-01-14T12:26:13 Auth: (85) Login incorrect (eap_tls: (TLS) Alert read:fatal:unknown CA): [mobile_device/<via Auth-Type = eap>] (from client AP1 port 1 cli XX-XX-FB-0C-07-E4)
2022-01-14T12:26:13 ERROR: (85) eap_tls: ERROR: (TLS) Alert read:fatal:unknown CA
what i´ve read by now is that it´s not posible to trust a self signed ca in android 11 and up ....
Any Ideas?
Happy to Test suggestions
Mks:
Hi,
what do you mean with "signed CA". I assume you are talking about a self-signed certificate.
Unknown CA sounds for me that the RootCA certificate (is per design self signed) is not imported to the CA store of the device.
Usually the chain is: RootCA->IssuingCA->EndUser certificate
If you are using a self signed certificate, it will not be accepted by the Radius server.
br
zeitlins:
i use a self signed cert ... created on the opnsense firewall
radius-ca (my root CA)
radius-intermediate-ca (intermediate-ca) used to sign Server Cert & User Cert
radius-server
user
It looks like Android is only Accepting Certs which are in the System Root-CA therefore Trusted Root-CA´s
I would like to Implement my own CA without any MDM as this is my home network
cookiemonster:
--- Quote from: zeitlins on January 14, 2022, 10:26:48 pm ---i use a self signed cert ... created on the opnsense firewall
radius-ca (my root CA)
radius-intermediate-ca (intermediate-ca) used to sign Server Cert & User Cert
radius-server
user
It looks like Android is only Accepting Certs which are in the System Root-CA therefore Trusted Root-CA´s
I would like to Implement my own CA without any MDM as this is my home network
--- End quote ---
That's only possible if you persuade the phone to have your root CA in it's trusted root store. Otherwise your CA must be in, which means you've need a cert signed by one of them.
lfirewall1243:
--- Quote from: zeitlins on January 14, 2022, 10:26:48 pm ---i use a self signed cert ... created on the opnsense firewall
radius-ca (my root CA)
radius-intermediate-ca (intermediate-ca) used to sign Server Cert & User Cert
radius-server
user
It looks like Android is only Accepting Certs which are in the System Root-CA therefore Trusted Root-CA´s
I would like to Implement my own CA without any MDM as this is my home network
--- End quote ---
It will only work if your Clients Trust that certificate.
1. Option: Import the CA to your Clients certificate store
2. Option: Use something like a ZeroSSL certificate for that
Navigation
[0] Message Index
[#] Next page
Go to full version