Necessary RADIUS Updates
Many popular RADIUS versions contain a bug that causes 802.1X authentication to 
fail on devices attempting to negotiate with the TLS 1.2 protocol. This issue 
affects the following services:
FreeRADIUS 2 versions 2.2.6 through 2.2.8
FreeRADIUS 3 versions 3.0.6 through 3.0.8
Net::SSLeay 1.52 or earlier on RADIATOR servers
ClearPass 6.5.1
This bug was present but unnoticed until TLS 1.2 support was briefly included 
in iOS 9 devices. It is now supported by the newest Android systems and the 
developers have no plans to revert to TLS 1.0 despite connectivity issues. To 
ensure all future devices are able to connect to secure wireless, we strongly 
advice that you update your RADIUS per developers recommendations:
ClearPass: Upgrade to version 6.5.2 or greater
RADIATOR: Upgrade Net::SSLeay to version 1.70 or greater
FreeRADIUS: Upgrade to version 3.0.10
Microsoft NPS: Update information available 
here.<https://urldefense.proofpoint.com/v2/url?u=http-3A__resources.securew2.com_acton_ct_10138_s-2D0066-2D1510_Bct_l-2D0084_l-2D0084-3Ad1_ct1-5F0_1-3Fsid-3DteULe75n1&d=AwMFaQ&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=Zry7Lse43BlfeWv78R_YeqNcAKLedbWM_88ACVXWx8c&s=zkTPnQVZJkAg4l8fxhuiE97Y3mMjmBXVGWrL85f0i0A&e=>




From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:[email protected]] On Behalf Of Turner, Ryan H
Sent: Tuesday, October 13, 2015 3:28 PM
To: [email protected]
Subject: Re: [WIRELESS-LAN] Android Marshmallow and Wireless..

Correction...  TLS 1.2 was fixed for EAP-TLS in 2.2.7.  This is a good thread:

https://code.google.com/p/android/issues/detail?id=188867<https://urldefense.proofpoint.com/v2/url?u=https-3A__code.google.com_p_android_issues_detail-3Fid-3D188867&d=AwMFAg&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=cT2cwuIhOk9BTxRg8G61n8VHQK5b6QYknMa79iYby-s&s=Ep07ccRjQ-Lv0-DAU6u8096PyFIucG2yM6vLeevD4Ms&e=>

I think you actually should be good running on 2.2.9 according to this thread, 
but you obviously aren't!!  If you really struggle, you may want to consider 
backreving to a freeRadius that didn't include TLS 1.2 support until you can 
assess.  If you have a virtual infrastructure, I'd spin up a test RADIUS server 
on old code with the same config and test.

Ryan H Turner
Senior Network Engineer
The University of North Carolina at Chapel Hill
CB 1150 Chapel Hill, NC 27599
+1 919 445 0113 Office
+1 919 274 7926 Mobile

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:[email protected]] On Behalf Of Turner, Ryan H
Sent: Tuesday, October 13, 2015 3:23 PM
To: 
[email protected]<mailto:[email protected]>
Subject: Re: [WIRELESS-LAN] Android Marshmallow and Wireless..

Post your EAP method.  The fixes for TLS1.2 are not universal across the 
freeRadius versions and are EAP type dependent.  For example, UNC is EAP-TLS, 
and the fix for TLS was in 2.2.8.  I 'think' TTLS was 2.2.9.  We've had no 
issues with Android M.  I sent an email out to our technical user community and 
we've had no issues with numerous people connecting.

Ryan H Turner
Senior Network Engineer
The University of North Carolina at Chapel Hill
CB 1150 Chapel Hill, NC 27599
+1 919 445 0113 Office
+1 919 274 7926 Mobile

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:[email protected]] On Behalf Of Danny Eaton
Sent: Tuesday, October 13, 2015 3:13 PM
To: 
[email protected]<mailto:[email protected]>
Subject: [WIRELESS-LAN] Android Marshmallow and Wireless..

So, we're a Cisco wireless shop, running WiSM-2's HA, blah blah blah... 
Authenticate the 802.1x with FreeRadius, and just upgraded it this morning to 
2.2.9.  I've got ONE user on a Nexus 5 who upgraded to Marshmallow.  When we 
were running the 2.2.8 version of FreeRadius, the login failed.  We've upgraded 
to 2.2.9, and we're seeing in the radius logs "Login OK" for his username and 
MAC address, but really, it is not connecting.

I've captured the "troubleshooting" logs from our PI 2.2.3, and we're going to 
work with him tomorrow running debug on the radius server when he's trying to 
connect, but thought I'd reach out to y'all and see if anyone else is seeing 
this issue.


               Respectfully,

               Danny Eaton

               Snr. Network Architect
               Networking, Telecommunications, & Operations
               Rice University, OIT
               Mudd Bldg, RM #205
               Jones College Associate
               Office - 713-348-5233
               Cellular - 832-247-7496
               [email protected]<mailto:[email protected]>

               Soli Deo Gloria
               Matt 18:4-6

G.K. Chesterton, "Christianity has not been tried and found wanting.  It's been 
found hard and left untried."




********** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_&d=AwMFAg&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=cT2cwuIhOk9BTxRg8G61n8VHQK5b6QYknMa79iYby-s&s=TEkGM4oaTYkqf1Yvuyx0j5JwLey3rEcL4VD_izHJ0Pk&e=>.
********** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_&d=AwMFAg&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=cT2cwuIhOk9BTxRg8G61n8VHQK5b6QYknMa79iYby-s&s=TEkGM4oaTYkqf1Yvuyx0j5JwLey3rEcL4VD_izHJ0Pk&e=>.
********** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_&d=AwMFAg&c=SgMrq23dbjbGX6e0ZsSHgEZX6A4IAf1SO3AJ2bNrHlk&r=rtlMYUF4nwLIYnoG0qXTf9aFc5RLK7DMyf8lTMu__vs&m=cT2cwuIhOk9BTxRg8G61n8VHQK5b6QYknMa79iYby-s&s=TEkGM4oaTYkqf1Yvuyx0j5JwLey3rEcL4VD_izHJ0Pk&e=>.

**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Reply via email to