Necessary RADIUS Updates Many popular RADIUS versions contain a bug that causes 802.1X authentication to fail on devices attempting to negotiate with the TLS 1.2 protocol. This issue affects the following services: FreeRADIUS 2 versions 2.2.6 through 2.2.8 FreeRADIUS 3 versions 3.0.6 through 3.0.8 Net::SSLeay 1.52 or earlier on RADIATOR servers ClearPass 6.5.1 This bug was present but unnoticed until TLS 1.2 support was briefly included in iOS 9 devices. It is now supported by the newest Android systems and the developers have no plans to revert to TLS 1.0 despite connectivity issues. To ensure all future devices are able to connect to secure wireless, we strongly advice that you update your RADIUS per developers recommendations: ClearPass: Upgrade to version 6.5.2 or greater RADIATOR: Upgrade Net::SSLeay to version 1.70 or greater FreeRADIUS: Upgrade to version 3.0.10 Microsoft NPS: Update information available here.<https://urldefense.proofpoint.com/v2/url?u=http-3A__resources.securew2.com_acton_ct_10138_s-2D0066-2D1510_Bct_l-2D0084_l-2D0084-3Ad1_ct1-5F0_1-3Fsid-3DteULe75n1&d=AwMFaQ&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=Zry7Lse43BlfeWv78R_YeqNcAKLedbWM_88ACVXWx8c&s=zkTPnQVZJkAg4l8fxhuiE97Y3mMjmBXVGWrL85f0i0A&e=>
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Turner, Ryan H Sent: Tuesday, October 13, 2015 3:28 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Android Marshmallow and Wireless.. Correction... TLS 1.2 was fixed for EAP-TLS in 2.2.7. This is a good thread: https://code.google.com/p/android/issues/detail?id=188867<https://urldefense.proofpoint.com/v2/url?u=https-3A__code.google.com_p_android_issues_detail-3Fid-3D188867&d=AwMFAg&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=cT2cwuIhOk9BTxRg8G61n8VHQK5b6QYknMa79iYby-s&s=Ep07ccRjQ-Lv0-DAU6u8096PyFIucG2yM6vLeevD4Ms&e=> I think you actually should be good running on 2.2.9 according to this thread, but you obviously aren't!! If you really struggle, you may want to consider backreving to a freeRadius that didn't include TLS 1.2 support until you can assess. If you have a virtual infrastructure, I'd spin up a test RADIUS server on old code with the same config and test. Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Turner, Ryan H Sent: Tuesday, October 13, 2015 3:23 PM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Android Marshmallow and Wireless.. Post your EAP method. The fixes for TLS1.2 are not universal across the freeRadius versions and are EAP type dependent. For example, UNC is EAP-TLS, and the fix for TLS was in 2.2.8. I 'think' TTLS was 2.2.9. We've had no issues with Android M. I sent an email out to our technical user community and we've had no issues with numerous people connecting. Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Danny Eaton Sent: Tuesday, October 13, 2015 3:13 PM To: [email protected]<mailto:[email protected]> Subject: [WIRELESS-LAN] Android Marshmallow and Wireless.. So, we're a Cisco wireless shop, running WiSM-2's HA, blah blah blah... Authenticate the 802.1x with FreeRadius, and just upgraded it this morning to 2.2.9. I've got ONE user on a Nexus 5 who upgraded to Marshmallow. When we were running the 2.2.8 version of FreeRadius, the login failed. We've upgraded to 2.2.9, and we're seeing in the radius logs "Login OK" for his username and MAC address, but really, it is not connecting. I've captured the "troubleshooting" logs from our PI 2.2.3, and we're going to work with him tomorrow running debug on the radius server when he's trying to connect, but thought I'd reach out to y'all and see if anyone else is seeing this issue. Respectfully, Danny Eaton Snr. Network Architect Networking, Telecommunications, & Operations Rice University, OIT Mudd Bldg, RM #205 Jones College Associate Office - 713-348-5233 Cellular - 832-247-7496 [email protected]<mailto:[email protected]> Soli Deo Gloria Matt 18:4-6 G.K. Chesterton, "Christianity has not been tried and found wanting. It's been found hard and left untried." ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_&d=AwMFAg&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=cT2cwuIhOk9BTxRg8G61n8VHQK5b6QYknMa79iYby-s&s=TEkGM4oaTYkqf1Yvuyx0j5JwLey3rEcL4VD_izHJ0Pk&e=>. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_&d=AwMFAg&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=cT2cwuIhOk9BTxRg8G61n8VHQK5b6QYknMa79iYby-s&s=TEkGM4oaTYkqf1Yvuyx0j5JwLey3rEcL4VD_izHJ0Pk&e=>. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_&d=AwMFAg&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=cT2cwuIhOk9BTxRg8G61n8VHQK5b6QYknMa79iYby-s&s=TEkGM4oaTYkqf1Yvuyx0j5JwLey3rEcL4VD_izHJ0Pk&e=>. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
