meta data for this page
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
network:wifi:wpae [2023/06/21 11:27] niziak created |
network:wifi:wpae [2023/10/23 11:14] (current) niziak |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== WiFi WPA Enterprise ====== | ====== WiFi WPA Enterprise ====== | ||
- | ===== Android 11+ Devices ===== | + | ===== Win 11 ===== |
+ | Windows 11 22H2 not connecting to WPA Enterprise | ||
+ | - Open Registry Editor | ||
+ | - Navigate to ''HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13'' | ||
+ | - Create ''DWORD'' key ''TlsVersion'' value ''FC0'' | ||
+ | |||
+ | ''TlsVersion'' coding (values cane be OR-ed): | ||
+ | - 0000 1100 0000 = 0x0C0 TLS1.0 | ||
+ | - 0011 0000 0000 = 0x300 TLS1.1 | ||
+ | - 1100 0000 0000 = 0xC00 TLS1.2 | ||
+ | |||
+ | ===== Android 11+ Devices ===== | ||
+ | |||
+ | **NOTE: DRAFT!** | ||
Freeradius log: | Freeradius log: | ||
Line 17: | Line 30: | ||
</file> | </file> | ||
+ | Background: | ||
+ | * [[https://extremeportal.force.com/ExtrArticleDetail?an=000092023]] | ||
+ | * [[https://wiki.freeradius.org/guide/certificate-compatibility|Certificate Compatibility]] | ||
+ | |||
+ | Hints: | ||
+ | * | ||
Workaround for Android based phone: | Workaround for Android based phone: | ||
Line 27: | Line 46: | ||
* CA certificate: Install. After installation choose just installed certificate | * CA certificate: Install. After installation choose just installed certificate | ||
* Online certificate status: Do not verify | * Online certificate status: Do not verify | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | TODO | ||
+ | |||
+ | |||
+ | Android: | ||
+ | * "Domain" = CN from radius cert (=radius host name?) | ||
+ | * Possible to add alternate names to cert to use short domain | ||
+ | [[https://learn.microsoft.com/pl-pl/mem/intune/configuration/wi-fi-settings-android-enterprise]] | ||
+ | |||
+ | [[https://community.ui.com/questions/what-domain-for-android-when-setting-up-wpa2-enterprise-w-built-in-radius/4efa22a5-c909-465b-9755-a8507e34b08a#answer/3a14eb34-5ead-47ed-9472-910752c7ee50]] | ||
+ | |||
+ | |||
+ | |||
+ | [[https://community.ui.com/questions/UDM-Radius-WPA-Enterprise-Android-11/10e1ef71-a0e5-4b83-885d-80deccbdef25]] | ||
+ | <code> | ||
+ | I don't disagree, but bottom line is that 11 will never connect without a trusted CA root (and all intermediates in the chain, if there are any, above the certificate your RADIUS server is presenting) physically installed to the phone. Just how it is. | ||
+ | </code> | ||
+ | |||
+ | Starting with Android 11 QPR1, you must enter the domain for server certification validation in order to successfully connect. | ||
+ | |||
+ | |||
+ | [[https://extremeportal.force.com/ExtrArticleDetail?an=000092023]] | ||
+ | <code> | ||
+ | The RADIUS certificate used by the 802.1X wireless controller or access point must use either: | ||
+ | |||
+ | A certificate signed by a trusted public Root certificate authority and configured to supply clients with the full certificate chain (root -> intermediate(s) -> server), OR | ||
+ | In the case of self-signed or private CA, pre-load the root and any intermediate certificates on the device's trust store prior to connection. | ||
+ | </code> | ||
+ | Add both certs to client ? how to add intermediate ca ? | ||
+ | |||
+ | New CA are added to ''User store'' only. There is no option without root right to move it to ''System store'' | ||
+ | |||
+ | |||
+ | |||
+ | [[https://serverfault.com/questions/1090456/freeradius-with-mixed-cas|FreeRadius with mixed CAs]] | ||
+ | |||
+ | /etc/freeradius/3.0/mods-enabled/eap | ||
+ | |||
+ | Use ''ca_path'' or ''ca_file'' not both. Using ''ca_path'' requires run ''c_rehash'' on pointed dir to created hashes do certs. | ||
+ | |||
+ | <file /etc/freeradius/3.0/mods-enabled/eap> | ||
+ | tls-config tls-common { | ||
+ | private_key_password = | ||
+ | private_key_file = ${certdir}/radius.int.example.com.key | ||
+ | |||
+ | certificate_file = ${certdir}/radius.int.example.com.crt | ||
+ | ca_path = ${cadir} | ||
+ | |||
+ | auto_chain = yes | ||
+ | } | ||
+ | </file> | ||
+ | |||
+ | <file /etc/freeradius/3.0/mods-enabled/eap> | ||
+ | tls-config tls-common { | ||
+ | private_key_password = | ||
+ | private_key_file = ${certdir}/radius.int.example.com.key | ||
+ | |||
+ | certificate_file = ${certdir}/radius-chain.crt | ||
+ | auto_chain = no | ||
+ | } | ||
+ | </file> | ||
+ | |||
+ | apt-get install eapoltest | ||
+ | |||
+ | |||
+ | Consider one selfsigned CA: [[https://networkradius.com/doc/3.0.10/raddb/home.html]] | ||