Differences

This shows you the differences between two versions of the page.

--- network:wifi:wpae [2023/06/21 11:27]
niziak created
+++ network:wifi:wpae [2023/10/23 11:14] (current)
niziak
@@ Line 1: / Line 1: @@
 ====== WiFi WPA Enterprise ======
-===== Android 11+ Devices =====
+===== Win 11 =====
+Windows 11 22H2 not connecting to WPA Enterprise
+  - Open Registry Editor
+  - Navigate to ''HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13''
+  - Create ''DWORD'' key ''TlsVersion'' value ''FC0''
+''TlsVersion'' coding (values cane be OR-ed):
+  - 0000 1100 0000 = 0x0C0 TLS1.0
+  - 0011 0000 0000 = 0x300 TLS1.1
+  - 1100 0000 0000 = 0xC00 TLS1.2
+===== Android 11+ Devices =====
+**NOTE: DRAFT!**
 Freeradius log:
@@ Line 17: / Line 30: @@
 </file>
+Background:
+  * [[https://extremeportal.force.com/ExtrArticleDetail?an=000092023]]
+  * [[https://wiki.freeradius.org/guide/certificate-compatibility|Certificate Compatibility]]
+Hints:
+  *
 Workaround for Android based phone:
@@ Line 27: / Line 46: @@
     * CA certificate: Install. After installation choose just installed certificate
     * Online certificate status: Do not verify
+TODO
+Android:
+  * "Domain" = CN from radius cert (=radius host name?)
+  * Possible to add alternate names to cert to use short domain
+[[https://learn.microsoft.com/pl-pl/mem/intune/configuration/wi-fi-settings-android-enterprise]]
+[[https://community.ui.com/questions/what-domain-for-android-when-setting-up-wpa2-enterprise-w-built-in-radius/4efa22a5-c909-465b-9755-a8507e34b08a#answer/3a14eb34-5ead-47ed-9472-910752c7ee50]]
+[[https://community.ui.com/questions/UDM-Radius-WPA-Enterprise-Android-11/10e1ef71-a0e5-4b83-885d-80deccbdef25]]
+<code>
+I don't disagree, but bottom line is that 11 will never connect without a trusted CA root (and all intermediates in the chain, if there are any, above the certificate your RADIUS server is presenting) physically installed to the phone. Just how it is.
+</code>
+Starting with Android 11 QPR1, you must enter the domain for server certification validation in order to successfully connect.
+[[https://extremeportal.force.com/ExtrArticleDetail?an=000092023]]
+<code>
+The RADIUS certificate used by the 802.1X wireless controller or access point must use either:
+    A certificate signed by a trusted public Root certificate authority and configured to supply clients with the full certificate chain (root ->  intermediate(s) -> server), OR
+    In the case of self-signed or private CA, pre-load the root and any intermediate certificates on the device's trust store prior to connection.
+</code>
+Add both certs to client ? how to add intermediate ca ?
+New CA are added to ''User store'' only. There is no option without root right to move it to ''System store''
+[[https://serverfault.com/questions/1090456/freeradius-with-mixed-cas|FreeRadius with mixed CAs]]
+/etc/freeradius/3.0/mods-enabled/eap
+Use ''ca_path'' or ''ca_file'' not both. Using ''ca_path'' requires run ''c_rehash'' on pointed dir to created hashes do certs.
+<file /etc/freeradius/3.0/mods-enabled/eap>
+tls-config tls-common {
+  private_key_password =
+  private_key_file = ${certdir}/radius.int.example.com.key
+  certificate_file = ${certdir}/radius.int.example.com.crt
+  ca_path = ${cadir}
+  auto_chain = yes
+}
+</file>
+<file /etc/freeradius/3.0/mods-enabled/eap>
+tls-config tls-common {
+  private_key_password =
+  private_key_file = ${certdir}/radius.int.example.com.key
+  certificate_file = ${certdir}/radius-chain.crt
+  auto_chain = no
+}
+</file>
+apt-get install eapoltest
+Consider one selfsigned CA: [[https://networkradius.com/doc/3.0.10/raddb/home.html]]

Tools

menus and quick search

quick search

site status

Page Tools

meta data for this page

Differences