[RADIATOR] Radiator / Radmin - EAP TLS certificates on Android phone

Imanol Fuidio imanol.fuidio at fon.com
Wed Jun 18 06:04:17 CDT 2014


Hi everyone,

In the company we have performed some tests on EAP TLS.
We are using Radiator-4.13 with the goodie eap_tls.cfg.

We have created self-signed certificates through the script: script.sh
(You can find the script, as well as the certificates in
https://gist.github.com/ifdm001/57c03984282f33406aec )

During the tests, we have installed the cert-clt.p12 cert file on a Galaxy
S3 with Android 4.1.2
We have also installed the CA file cacert.pem.

The WiFi configuration is: EAP method TLS, Phase 2 PAP, User certificate,
Identiy user

We also have added the identity user to the file database.

When we have not configured the CA file in the WiFi configuration profile,
everything works. It is strange there is no message from Android saying
that the server certificate will be not verified, also there is no
checklist option to validate this ( as there is in microsoft, see.
https://support.microsoft.com/kb/814394).

When we configure the CA file in the WiFi configuration profile on the
Android phone, we found the following error in Radiator:

Wed Jun 18 11:49:35 2014: DEBUG: Handling request with Handler
'Realm=DEFAULT', Identifier ''
Wed Jun 18 11:49:35 2014: DEBUG:  Deleting session for user, 10.1.0.9,
Wed Jun 18 11:49:35 2014: DEBUG: Handling with Radius::AuthFILE:
Wed Jun 18 11:49:35 2014: DEBUG: Handling with EAP: code 2, 255, 200, 13
Wed Jun 18 11:49:35 2014: DEBUG: Response type 13
Wed Jun 18 11:49:35 2014: DEBUG: Certificate Subject Name is
/C=ES/ST=Biscay/L=Getxo/O=Fon/OU=Fon Labs/CN=user
Wed Jun 18 11:49:35 2014: DEBUG: Matched certificate CN user with User-Name
user or identity user
Wed Jun 18 11:49:35 2014: DEBUG: Reading users file ./users
Wed Jun 18 11:49:35 2014: DEBUG: Radius::AuthFILE looks for match with user
[user]
Wed Jun 18 11:49:35 2014: DEBUG: Radius::AuthFILE ACCEPT: : user [user]
Wed Jun 18 11:49:35 2014: ERR: EAP TLS error: -1, 1, 8592, 0,  22411: 1 -
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Wed Jun 18 11:49:35 2014: DEBUG: EAP Failure, elapsed time 0.179251
Wed Jun 18 11:49:35 2014: DEBUG: EAP result: 1, EAP TLS error
Wed Jun 18 11:49:35 2014: DEBUG: AuthBy FILE result: REJECT, EAP TLS error
Wed Jun 18 11:49:35 2014: INFO: Access rejected for user: EAP TLS error
Wed Jun 18 11:49:35 2014: DEBUG: Packet dump:
*** Sending to 10.1.0.9 port 54719 ....
Code:       Access-Reject
Identifier: 189
Authentic:
 <194><153>-<204><200><12><189><176>&<168><196><24><180><148><210>i
Attributes:
EAP-Message = <4><255><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"

The full log is in the file eap_tls.log file, also in
https://gist.github.com/ifdm001/57c03984282f33406aec

Any help with this problem, we will be grateful.

Thanks,

Imanol

-- 

Imanol Fuidio Díaz-Maroto

Fon Labs
R&D Engineerimanol.fuidio at fon.com
skype: imanol.fon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20140618/e6502e28/attachment.html 


More information about the radiator mailing list