android 5.1.1 802.1x eap method TLS Error reading cert.

  • 1
  • Question
  • Updated 2 years ago

Trying to bring new android devices on to our network which is using 802.1x eap method of tls.  I installed a valid ca and cert but get an auth error.  This is what I am seeing in the radius logs:

2016-02-24 08:56:28 warn    radiusd[17539]: RADIUS: The RADIUS server rejected user 'bob' through the NAS at 10.2.22.12.
2016-02-24 08:56:28 warn    radiusd[17539]: RADIUS: eap auth for STA=00ae:faf3:6771 user=bob failed with type EAP/tls
2016-02-24 08:56:28 err     radiusd[17539]: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
2016-02-24 08:56:28 err     radiusd[17539]: rlm_eap: SSL error error:14094410:lib(20):func(148):reason(1040)
2016-02-24 08:56:28 err     radiusd[17539]: TLS_accept: failed in SSLv3 read client certificate A
2016-02-24 08:56:28 err     radiusd[17539]: TLS Alert read:fatal:handshake failure
2016-02-24 08:56:25 info    kernel: [wifi]: ah_idp_timeout: wifi0 idp mitigate disable


Anybody have a clue how to resolve this?


Thanks!


Photo of Todd Zirbel

Todd Zirbel

  • 2 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Todd,

Just to confirm, this is just affecting this device and you have other Android clients configured in the same way that function correctly?

If that is the case, by way of initial steps...

Have you updated to HiveOS 6.5r3a? If not, do this first and retest.

If it still fails. Can you then check that your server certificate meets the requirements of the following document: https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations

If it does not, how does it differ?

Regarding the client certificate... What's the public key length?

Is the public part of the root certificate that the server certificate derives from installed on the Android client? Is it configured to check the server certificate against this?

I'll give you some additional things to look for after you've completed those steps.

(A packet capture of the EAP exchange would interesting as it yields TLS fatal alert codes and the certificates used in the exchange.)

Regards,

Nick
(Edited)
Photo of Todd Zirbel

Todd Zirbel

  • 2 Posts
  • 0 Reply Likes
Hello,  Yup.  I have about ipad 4s and 12 andoid ranging in versions from 4.4 to 5.1 that do not have this issue.  The two that I do have issue with are Samsung galaxy s6 and a galaxy note 5 running 5.1.1.  I will attempt a packet capture of the eap exchange and see what I get.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Could this be the weak DH issue that is patched in recent HiveOS releases? That's why I wondered if you are running up-to-date HiveOS, currently 6.5r3a in the golden, long term stable branch?