Actually, buried in the bug report is this: I suspect that you all are hitting this issue because the new version of Android is now negotiating, correctly, with TLS 1.2 and you have a broken backend.
If so, this issue should be marked as being invalid. This applies to anybody with WPA2-Enterprise/802.1X SSIDs backed by either FreeRADIUS 2.2.6 with all TLS-based EAP types, 2.2.6 through 2.2.8 with EAP-TTLS, 3.0.7 with all TLS-based EAP types, and 3.0.7 through 3.0.9 with EAP-TTLS, or Radiator 4.14 or later when used in conjunction with Net::SSLeay 1.52 or earlier. These unfortunately experience a critical bug where they miscalculate session keying material, the MPPE keys, when the TLS 1.2 protocol is negotiated by EAP clients (supplicant). Clients that negotiate with the TLS 1.2 protocol version in the TLS Client Hello will not be able to get a usable association to affected wireless networks. Two MPPE keys, the MS-MPPE-Recv-Key (MasterReceiveKey) and MS-MPPE-Send-Key (MasterSendKey), are used to derive the Master Session Key (MSK). This is absolutely essential to get a usable association. The mismatch occurs because the client derives the correct MSK and the AP derives a different, incorrect MSK due to the incorrectly calculated MPPE keys supplied in the RADIUS Access-Accept. This is more of an acute issue as Red Hat ship with a broken FreeRADIUS 2.2.6 package in RHEL 6.7. There is an update now to address this: https://rhn.redhat.com/errata/RHBA-2015-1829.html CentOS 6.7 is similarly affected as it derives from Red Hat's sources. I should also mention that there is a difference between implementing/offering TLS 1.2 or not and being intolerant to it. It is the latter that is a problem with the introduction of TLS 1.2 for EAP. The issue above, loosely, concerns intolerance because the subsequent MPPE keys generated are miscalculated. Deployments that continue to offer just TLS 1.0 will continue to function correctly as TLS 1.0 will be negotiated by EAP clients (supplicants) despite it offering TLS 1.2 in the client hello in their default configuration. (TLS has a version negotiation mechanism, you just need an intersection of supported versions and cipher suites.) On Fri, Oct 9, 2015 at 7:33 AM, Trent Hurt <[email protected]> wrote: > Issue 188867 - android - peap eap mschapv2 android M not working - Android > Open Source Project - Issue Tracker - Google Project Hosting > <https://urldefense.proofpoint.com/v2/url?u=https-3A__code.google.com_p_android_issues_detail-3Fid-3D188867&d=AwMFaQ&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=7zavXXu1MPyIeKsBU11CubvbajlcMx0DCxxUzAg9i8E&s=LD9sieEHlScHnuK6WY7iwogxRHVp7AnA9qy81BRls4Y&e=> > > > > > > > Issue 188867 - android - peap eap mschapv2 android M not working - Android > Open Source Project -... > <https://urldefense.proofpoint.com/v2/url?u=https-3A__code.google.com_p_android_issues_detail-3Fid-3D188867&d=AwMFaQ&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=7zavXXu1MPyIeKsBU11CubvbajlcMx0DCxxUzAg9i8E&s=LD9sieEHlScHnuK6WY7iwogxRHVp7AnA9qy81BRls4Y&e=> > Status: Assigned Owner: [email protected] Cc: [email protected] Type-Defect > Priority-Small ReportedBy-User Component-Networking Sign in to add a > comment > View on code.google.com > <https://urldefense.proofpoint.com/v2/url?u=https-3A__code.google.com_p_android_issues_detail-3Fid-3D188867&d=AwMFaQ&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=7zavXXu1MPyIeKsBU11CubvbajlcMx0DCxxUzAg9i8E&s=LD9sieEHlScHnuK6WY7iwogxRHVp7AnA9qy81BRls4Y&e=> > Preview by Yahoo > > Seems like there is an issue with latest anroid OS (Marshmallow) when it > comes to 802.1X wireless. > > Sent from my iPhone > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
