EAP-TLS Certificates for Wireless on Android

This topic is to discuss the following lesson:

https://networklessons.com/uncategorized/eap-tls-certificates-for-wireless-on-android/

Hi. Thanks for the thorough walkthrough. I’m having issues at the point of connecting to the SSID. Once i try to connect, i am presented with an incorrect password error. Subsequent triesare left hanging on a “connecting” message. Have you came across this during your config?

Hi,

Because there are many things to configure there are a lot of things that could go wrong. Your best option is to start looking in the event viewer of server 2008 as it shows you why a client was rejected…

Rene

Hello,

Great post. Very informative. Two questions if I may; EAP-TLS user certificate was used in the above example but do you know if EAP-TLS machine certificate is possible? At my job we use EAP-TLS machine certificates for our computers but we would like to now extend EAP-TLS machine certificates to the Andriods. Also, in the example you launched the http://your-server-ip/certsrv from a computer then exported/imported to the Andriod, is it possible download/install the cert from http://your-server-ip/certsrv directly onto the Andriod or must the export/import step be used?

Hi,

As far as I know it’s only possible to use “user certificates” on the Android devices. Maybe there’s a proprietary solution somewhere but it seems there’s no support. I haven’t seen any SCEP support for Android devices.

I do believe that on Android 4.x devices it is possible to go to http://your-server-ip/certsrv directly and request the certificate right from your Android device. I didn’t try this yet so if you do and it works, please let me know :slight_smile:

Rene

Hello,
Do you know if it is possible to backup the certificate storage in the android device? Several of our users manage to factory reset their devices from time to time, and every time we have to generate each certificate and import it again. If we could just backup their certificate storage (and in some cases, even teach them how to do it), we would reduce support requests a lot.

Hmm good question. I’m not sure where the certificate is stored on Android and also not sure if it’s the same on all Android versions. Maybe it’s a better idea to backup it not on the android device but the computer where you are requesting them?

This is a good tutorial. We tried doing the same thing and it works on an android HTC 4.1 and Galaxy 5 Android 4.4 but we have a S4 with v 4.2 and 4.3 and it doesn’t seem work where the authenticate with the wireless device. We can see the certs but it doesn’t authenticate with the wireless router. Is there where we can get logs from the phone?

Hi,

I’m not sure if you can see the (wireless) log of the phone, and even if you could it’s possible that you need root access. Can’t you see anything on the log/debug of the wireless controller? That’s what I look first normally. You’ll see the phone trying to associate and the authentication details. If the phone got associated, check the log of the radius server.

Rene

Hi René,
Thanks for your post. Very informative. I would like to connect my mobile (Moto G) with Wifi LEAP server. I was tried to download LEAP Wifi app… But no help.

If possible could you please help on this? Thx! - Arul

Hi Arul,

I think LEAP support was removed in Android for some time now since it is pretty insecure. LEAP is vulnerable to offline dictionary / brute force attacks. Maybe you can make it work with one of the LEAP apps in the play store but looking at some of the reviews, I don’t think it will work very well on all devices…time to convince the network engineer to upgrade to PEAP or EAP-TLS :slight_smile:

Rene

I’m seeing some issues with some Android 4.3 devices trying to connect to EAP-TLS protected Wifi networks. Certainly my Samsung Galaxy S3 running Android 4.3 cannot connect. Our NPS server returns a message “Reason Code 266: NPS received a message that was either unexpected or incorrectly formatted. NPS discarded the message for this reason.” ADB logcat from the SGS3 shows an unexpected (or possibly out-of-sequence?) packet.

Just an update to this. I got a firmware update through for my Samsung Galaxy S3, and after the new firmware (still Android 4.3) was applied, I was able to connect to my EAP-TLS protected Wifi network!

Hi,
We usually create eap-peap supportted ssid’s, can we use the same ssid for eap-tls .
if yes or no could you show an example ssid
Thanks

Hi rene ,
You said “EAP-TLS is the most secure form of wireless authentication because it replaces the client username/password with a client certificate.”
In this example you are providing a username to connect to the ssid ?
Thanks

Hello Sims

It is not possible to use the same SSID for both eap-peap support and eap-tls. You must use two separate SSIDs. However, Cisco ISE does have the capability of creating authentication policy rules. These are organised in if and then statements. When you configure an SSID, you can configure an authentication policy with all of the allowed protocols. If a device does not support this, or fails to connect using one specific setup, it can go on to the next available protocol configuration in the list until the list is exhausted. This however cannot be configured to explicitly connect one user using one method and another using a different method. This is especially useful in BYOD environments. You can find out more about this here within the Authentication Policies section.

I hope this has been helpful!

Laz

Hello again Sims

It is more secure to use a certificate for authentication rather than a username and password. This is because the security mechanisms involved are much more complex and more difficult to break.

In the above example, only the certificate is used for authentication. The username is used just for identiy purposes, to indicate to who the certificate belongs.

I hope this has been helpful!

Laz