EAP-PEAP: unknown ca error

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

EAP-PEAP: unknown ca error

Nick Iatsenko
Hello everyone,

I successfully configured FreeRADIUS 3.0.21 on my new Opnsense firewall.

Connected devices via Wi-Fi:
- iOS : OK
- MacOS : OK
- Android : KO

I found another person (Daniel Lopez) having similar issue with EAP-TLS
back in 2017 but he was provided link to the resource with instructions for
different clients (OS) but not Android.

Root CA is used to issue Server cert (no intermediate cert is used - it's a
home setup ;) ).

I installed Root CA cert on my Pixel3 > Settings > Security > Encryption &
Credentials > Install a certificate >  CA Certificate > followed the dialog

New Root CA cert is visible under Settings > Security > Encryption &
Credentials > Trusted credentials > User

My concern: I don't see my new Root CA cert under CA certificate section in
the Wi-Fi profile and have to choose "Use system certificates"

Below is the debug result. I hope it helps to confirm my hypothesis
(presented Server cert is not Trusted by Android phone).

Feel free to forward me to the other Android related resource if this is
not the right place to ask for help with my issue.

(261) Received Access-Request Id 62 from 192.168.31.2:53892 to
192.168.31.1:1812 length 183
(261)   Service-Type = Framed-User
(261)   Framed-MTU = 1400
(261)   User-Name = "Nick_Pixel3"
(261)   State = 0x7616a93d7e1fb07496c66d6bce81643b
(261)   NAS-Port-Id = "guest_WLAN"
(261)   NAS-Port-Type = Wireless-802.11
(261)   Calling-Station-Id = "96-4D-45-A8-84-E0"
(261)   Called-Station-Id = "CC-2D-E0-A9-52-2A:XATA_guest"
(261)   EAP-Message = 0x0209001119800000000715030300020230
(261)   Message-Authenticator = 0x145801a756ad058b3a78d10e7f6343f1
(261)   NAS-Identifier = "MikroTik"
(261)   NAS-IP-Address = 192.168.31.2
(261) session-state: No cached attributes
(261) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(261)   authorize {
(261)     policy filter_username {
(261)       if (&User-Name) {
(261)       if (&User-Name)  -> TRUE
(261)       if (&User-Name)  {
(261)         if (&User-Name =~ / /) {
(261)         if (&User-Name =~ / /)  -> FALSE
(261)         if (&User-Name =~ /@[^@]*@/ ) {
(261)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(261)         if (&User-Name =~ /\.\./ ) {
(261)         if (&User-Name =~ /\.\./ )  -> FALSE
(261)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(261)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(261)         if (&User-Name =~ /\.$/)  {
(261)         if (&User-Name =~ /\.$/)   -> FALSE
(261)         if (&User-Name =~ /@\./)  {
(261)         if (&User-Name =~ /@\./)   -> FALSE
(261)       } # if (&User-Name)  = notfound
(261)     } # policy filter_username = notfound
(261)     [preprocess] = ok
(261)     [chap] = noop
(261)     [mschap] = noop
(261)     [digest] = noop
(261) suffix: Checking for suffix after "@"
(261) suffix: No '@' in User-Name = "Nick_Pixel3", looking up realm NULL
(261) suffix: No such realm "NULL"
(261)     [suffix] = noop
(261) eap: Peer sent EAP Response (code 2) ID 9 length 17
(261) eap: Continuing tunnel setup
(261)     [eap] = ok
(261)   } # authorize = ok
(261) Found Auth-Type = eap
(261) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(261)   authenticate {
(261) eap: Expiring EAP session with state 0x7616a93d7e1fb074
(261) eap: Finished EAP session with state 0x7616a93d7e1fb074
(261) eap: Previous EAP request found for state 0x7616a93d7e1fb074,
released from the list
(261) eap: Peer sent packet with method EAP PEAP (25)
(261) eap: Calling submodule eap_peap to process data
(261) eap_peap: Continuing EAP-TLS
(261) eap_peap: Peer indicated complete TLS record size will be 7 bytes
(261) eap_peap: Got complete TLS record (7 bytes)
(261) eap_peap: [eaptls verify] = length included
(261) eap_peap: <<< recv TLS 1.2  [length 0002]
(261) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
(261) eap_peap: TLS_accept: Need to read more data: error
(261) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read):
error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
(261) eap_peap: TLS - In Handshake Phase
(261) eap_peap: TLS - Application data.
(261) eap_peap: ERROR: TLS failed during operation
(261) eap_peap: ERROR: [eaptls process] = fail
(261) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module
failed
(261) eap: Sending EAP Failure (code 4) ID 9 length 4
(261) eap: Failed in EAP select
(261)     [eap] = invalid
(261)   } # authenticate = invalid
(261) Failed to authenticate the user
(261) Using Post-Auth-Type Reject
(261) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(261)   Post-Auth-Type REJECT {
(261) attr_filter.access_reject: EXPAND %{User-Name}
(261) attr_filter.access_reject:    --> Nick_Pixel3
(261) attr_filter.access_reject: Matched entry DEFAULT at line 11
(261)     [attr_filter.access_reject] = updated
(261)     [eap] = noop
(261)     policy remove_reply_message_if_eap {
(261)       if (&reply:EAP-Message && &reply:Reply-Message) {
(261)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(261)       else {
(261)         [noop] = noop
(261)       } # else = noop
(261)     } # policy remove_reply_message_if_eap = noop
(261)   } # Post-Auth-Type REJECT = updated
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-PEAP: unknown ca error

Alan DeKok-2
On Jan 8, 2021, at 4:57 PM, Nick Iatsenko <[hidden email]> wrote:

> Root CA is used to issue Server cert (no intermediate cert is used - it's a
> home setup ;) ).
>
> I installed Root CA cert on my Pixel3 > Settings > Security > Encryption &
> Credentials > Install a certificate >  CA Certificate > followed the dialog
>
> New Root CA cert is visible under Settings > Security > Encryption &
> Credentials > Trusted credentials > User
>
> My concern: I don't see my new Root CA cert under CA certificate section in
> the Wi-Fi profile and have to choose "Use system certificates"

  If the CA isn't available in the WiFi profile, then that's the reason it's not working.

  If it works on one OS and not another, then the problem is the broken OS.  FreeRADIUS provably works...

> Below is the debug result. I hope it helps to confirm my hypothesis
> (presented Server cert is not Trusted by Android phone).

  Yes.  Fix the WiFi phone.  How?  Uh... I dunno.  Android is magic :(

> Feel free to forward me to the other Android related resource if this is
> not the right place to ask for help with my issue.

  We can offer limited advice here.  If iOS works and Android doesn't, then the issue is a configuration problem on Android.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html