I've been dealing with this issue for around a month now and wanted to see if anyone has any ideas about this. I am trying to enable EAP-TLS authentication on our Android 11 devices using a Freeradius server that is stood up for testing only. I've managed to get it past TLS handshake, but when it comes to the EAP portion - the client keeps repeating and eventually lets the Freeradius server know that there is an issue. See the log below
eap_tls: (TLS) Peer ACKed our handshake fragment
eap: Sending EAP Request (code 1) ID 4 length 1004
eap: EAP session adding &reply:State = 0x396d4ce23b6941bc
[eap] = handled
} # authenticate = handled
Using Post-Auth-Type Challenge
# Executing group from file /etc/freeradius/3.0/sites-enabled/default
Challenge { ... } # empty sub-section is ignored
session-state: Saving cached attributes
Framed-MTU = 994
TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
Sent Access-Challenge Id 208 from 172.28.52.21:1812 to 172.28.15.49:32774 length 1068
EAP-Message = 0x010403ec0dc000000b97fee7eafdffa4d8a7d3377410ef14ec6ea7507fd2b472715be84841036621bdfe5e0b02b850c0d69b7c996da48b75539c44c325b1952be722fa1acce1062f09266fdadab083365d7ecb0b7ede3d7eb3aed6f85e0f3d5336b0e0f13c81c0486c6be0c3924aeb4c1a091b3bd47928b6dc31dd6fec7d0ab6a50e7ee5798a2e7eddd6c2a4d53193c05a3541c750e30dd73d71e91ffb0bfb4cce02edea4593167a8fe1919124a514d42b72780004fe308204fa308203e2a0030201020214081fa781cb9e1a31af2beda90d4591752d0fdded300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c65204365727469666963617465204175
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x396d4ce23b6941bcfc6c53955a4a2063
Finished request
eap_tls: (TLS) EAP Done initial handshake
eap_tls: (TLS) recv TLS 1.2 Alert, fatal internal_error
eap_tls: (TLS) The client is informing us that there is a failure inside the TLS protocol exchange.
eap_tls: ERROR: (TLS) Alert read:fatal:internal error
eap_tls: (TLS) Server : Need to read more data: error
eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000438:SSL routines::tlsv1 alert internal error
eap_tls: (TLS) In Handshake Phase
eap_tls: (TLS) Application data.
eap_tls: ERROR: (TLS) Cannot continue, as the peer is misbehaving.
eap_tls: ERROR: [eaptls process] = fail
eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed
eap: Sending EAP Failure (code 4) ID 5 length 4
eap: Failed in EAP select
Any and all help is appreciated - this is making me lose my mind!!!
I tried checking the certificates have the proper attributes to allow for this specific exchange. I tried ensuring that the radius server is resolvable with domain. I tried following guides online that made it seem very simple but the result is always the same - the supplicant keeps sending new requests to the radius server.
Ok, I know this is going to be different for everyone - but I wanted to post this because I have not seen a solution provided for my specific infrastructure and issue.
We have an internal firewall that have FreeBSD packet scrubbing and fragement re-assemble enabled. This prevented packets from going through our Access points because we would end up with Jumbo packets 1500 bytes+ and our APs can only do 1024 Bytes so these would be dropped. Once we disabled Scrubbing, we were able to authenticate.
Android is very strict when it comes to Certificate information! When I used Freeradius, I changed everything except for country code. When I debugged my android device - I got an error that domain suffix (.com) did not match! It was looking for .fr because default setup in Freeradius is to use Country code: FR. All I can say about this is make sure your certificates have no mistakes because this worked fine in Linux.