WiFi Failes to Reconnect Automatically on PEAP-MS-CHAP v2

[bigwolfeman]

Authenticating against AD. Device fails to automatically reconnect to WiFi it has been successfully authenticated on. Manual reconnect fails. To manually reconnect the connection settings have to be modified to change the CA Certificate from the saved one to "Trust on First Use". Then a popup from the OS has to be accepted and WiFi connection will reestablish. WiFi reconnects automatically on other networks.

[spicydll]

As a work around, I found that changing CA certificate to "use system certificates" after first connection will allow your device to reconnect.

[bigwolfeman]

That did not work on my first try. I'll experiment more with it.

[flawedworld]

It's unlikely this is an issue in the OS. Consult your helpdesk for support.

[bigwolfeman]

It's unlikely this is an issue in the OS. Consult your helpdesk for support.

I am the lead admin at this site. There are hundreds of devices on the network working properly. Another user in this issue reported the same issue and a work around that worked for them. I have a Lineage OS device that connects fine using the same settings. Clearly there is a real issue.

[thestinger]

Do they have Android 13?

[bigwolfeman]

There are plenty of Android 13 devices on the network.

[flawedworld]

@ajDeWolfe have you got this working fine with a Pixel phone running the stock OS on Android 13?

[bigwolfeman]

yes

[flawedworld]

Is the CA self signed? If not, what is the Root CA used for it?

[bigwolfeman]

self signed

[flawedworld]

It is a WPA2-Enterprise or WPA3-Enterprise network?

[bigwolfeman]

wpa2-enterprise

[flawedworld]

It's likely going to be an AOSP bug, be it intentional or not by Google, with how the OS deals with self signed certificates for enterprise Wi-Fi networks. I'm not really totally surprised this is happening, Android intentionally breaks insecure enterprise network configurations over time to force organisations to move to safer standards. We don't change how this works compared to the stock OS. You'll likely have no choice in future but to deploy a proper CA for your Wi-Fi networks, expect this configuration to break in a future Android version.

In the meantime in this specific case, please provide information of the stock OS Pixel device running Android 13 -- What device and what build? Does it still work fine if you forget the network and try add it again?

[bigwolfeman]

pixel 6 pro TP1A.221105.002.2022112500. The issue persists if I forget the network and reconnect. I can install AOSP 13 on a oneplus 5T and test with that too.

[flawedworld]

You mentioned that you had the network working fine with a stock OS Pixel device with Android 13 on it, I need the build + model of that Pixel please.

[bigwolfeman]

the stock one is Pixel 6 pro TP1A.221105.002

[flawedworld]

If you are ok with installing an alpha, please try this OTA: https://releases.grapheneos.org/raven-ota_update-2022120600.zip

[bigwolfeman]

I believe it installed by enabling alpha channel updates. build TW1A.221205.011.2022120600 no change in behavior. Even when I manually connect it fails, I have to change the certificate to allow on first use.

[maade93791]

two people are unable to replicate this issue. Using FreeRadius server, WPA2-EAP/WPA3-EAP as security standard and PEAP MSCHAPV2 as authentication method.

[maade93791]

It might be a AP/Radius server misconfiguration or certificate not being compatible with Android 13+. See https://source.android.com/docs/core/connect/wifi-tofu#background

[flawedworld]

Please test this on QPR2 - the latest release.

[girlbossceo]

Pinging again, is this still an issue on the latest GrapheneOS release?

[girlbossceo]

Going to assume this is fixed as of QPR2 Android 13 due to no response, no one else has reported this issue recently, and we're unable to reproduce this on our end.

If this is still an issue let us know but we need very clear reproduction steps and your environment and configuration.