8021x WLAN Android 11

[zeitlins]

Hi

I wan´t to change my 8021x from PEAP-MS-CHAP v2 to EAP-TLS but seem to be stuck when not using a signed CA...

Currently freeradius gives the Error

 2022-01-14T12:26:13       Auth: (85) Login incorrect (eap_tls: (TLS) Alert read:fatal:unknown CA): [mobile_device/<via Auth-Type = eap>] (from client AP1 port 1 cli XX-XX-FB-0C-07-E4)   
2022-01-14T12:26:13       ERROR: (85) eap_tls: ERROR: (TLS) Alert read:fatal:unknown CA

what i´ve read by now is that it´s not posible to trust a self signed ca in android 11 and up ....

Any Ideas?

Happy to Test suggestions

[Mks]

Hi,

what do you mean with "signed CA". I assume you are talking about a self-signed certificate.

Unknown CA sounds for me that the RootCA certificate (is per design self signed) is not imported to the CA store of the device.

Usually the chain is: RootCA->IssuingCA->EndUser certificate

If you are using a self signed certificate, it will not be accepted by the Radius server.

br

[zeitlins]

i use a self signed cert ... created on the opnsense firewall

radius-ca  (my root CA)
radius-intermediate-ca (intermediate-ca) used to sign Server Cert & User Cert
radius-server
user

It looks like Android is only Accepting Certs which are in the System Root-CA therefore Trusted Root-CA´s

I would like to Implement my own CA without any MDM as this is my home network

[cookiemonster]

i use a self signed cert ... created on the opnsense firewall

radius-ca  (my root CA)
radius-intermediate-ca (intermediate-ca) used to sign Server Cert & User Cert
radius-server
user

It looks like Android is only Accepting Certs which are in the System Root-CA therefore Trusted Root-CA´s

I would like to Implement my own CA without any MDM as this is my home network

That's only possible if you persuade the phone to have your root CA in it's trusted root store. Otherwise your CA must be in, which means you've need a cert signed by one of them.

[lfirewall1243]

i use a self signed cert ... created on the opnsense firewall

radius-ca  (my root CA)
radius-intermediate-ca (intermediate-ca) used to sign Server Cert & User Cert
radius-server
user

It looks like Android is only Accepting Certs which are in the System Root-CA therefore Trusted Root-CA´s

I would like to Implement my own CA without any MDM as this is my home network

It will only work if your Clients Trust that certificate.
1. Option: Import the CA to your Clients certificate store
2. Option: Use something like a ZeroSSL certificate for that

[zeitlins]

i use a self signed cert ... created on the opnsense firewall

radius-ca  (my root CA)
radius-intermediate-ca (intermediate-ca) used to sign Server Cert & User Cert
radius-server
user

It looks like Android is only Accepting Certs which are in the System Root-CA therefore Trusted Root-CA´s

I would like to Implement my own CA without any MDM as this is my home network

That's only possible if you persuade the phone to have your root CA in it's trusted root store. Otherwise your CA must be in, which means you've need a cert signed by one of them.

I think there is the Problem as a user i cann´t add it to the trusted root store....
But thanks for confirming, its bad for BYOD