GrapheneOS / os-issue-tracker

Issue tracker for GrapheneOS Android Open Source Project hardening work. Standalone projects like Auditor, AttestationServer and hardened_malloc have their own dedicated trackers.
https://grapheneos.org/
365 stars 21 forks source link

WiFi Failes to Reconnect Automatically on PEAP-MS-CHAP v2 #1770

Closed bigwolfeman closed 1 year ago

bigwolfeman commented 2 years ago

Authenticating against AD. Device fails to automatically reconnect to WiFi it has been successfully authenticated on. Manual reconnect fails. To manually reconnect the connection settings have to be modified to change the CA Certificate from the saved one to "Trust on First Use". Then a popup from the OS has to be accepted and WiFi connection will reestablish. WiFi reconnects automatically on other networks.

spicydll commented 2 years ago

As a work around, I found that changing CA certificate to "use system certificates" after first connection will allow your device to reconnect.

bigwolfeman commented 2 years ago

That did not work on my first try. I'll experiment more with it.

flawedworld commented 2 years ago

It's unlikely this is an issue in the OS. Consult your helpdesk for support.

bigwolfeman commented 2 years ago

It's unlikely this is an issue in the OS. Consult your helpdesk for support.

I am the lead admin at this site. There are hundreds of devices on the network working properly. Another user in this issue reported the same issue and a work around that worked for them. I have a Lineage OS device that connects fine using the same settings. Clearly there is a real issue.

thestinger commented 2 years ago

Do they have Android 13?

bigwolfeman commented 2 years ago

There are plenty of Android 13 devices on the network.

flawedworld commented 1 year ago

@ajDeWolfe have you got this working fine with a Pixel phone running the stock OS on Android 13?

bigwolfeman commented 1 year ago

yes

flawedworld commented 1 year ago

Is the CA self signed? If not, what is the Root CA used for it?

bigwolfeman commented 1 year ago

self signed

flawedworld commented 1 year ago

It is a WPA2-Enterprise or WPA3-Enterprise network?

bigwolfeman commented 1 year ago

wpa2-enterprise

flawedworld commented 1 year ago

It's likely going to be an AOSP bug, be it intentional or not by Google, with how the OS deals with self signed certificates for enterprise Wi-Fi networks. I'm not really totally surprised this is happening, Android intentionally breaks insecure enterprise network configurations over time to force organisations to move to safer standards. We don't change how this works compared to the stock OS. You'll likely have no choice in future but to deploy a proper CA for your Wi-Fi networks, expect this configuration to break in a future Android version.

In the meantime in this specific case, please provide information of the stock OS Pixel device running Android 13 -- What device and what build? Does it still work fine if you forget the network and try add it again?

bigwolfeman commented 1 year ago

pixel 6 pro TP1A.221105.002.2022112500. The issue persists if I forget the network and reconnect. I can install AOSP 13 on a oneplus 5T and test with that too.

flawedworld commented 1 year ago

You mentioned that you had the network working fine with a stock OS Pixel device with Android 13 on it, I need the build + model of that Pixel please.

bigwolfeman commented 1 year ago

the stock one is Pixel 6 pro TP1A.221105.002

flawedworld commented 1 year ago

If you are ok with installing an alpha, please try this OTA: https://releases.grapheneos.org/raven-ota_update-2022120600.zip

bigwolfeman commented 1 year ago

I believe it installed by enabling alpha channel updates. build TW1A.221205.011.2022120600 no change in behavior. Even when I manually connect it fails, I have to change the certificate to allow on first use.

maade93791 commented 1 year ago

two people are unable to replicate this issue. Using FreeRadius server, WPA2-EAP/WPA3-EAP as security standard and PEAP MSCHAPV2 as authentication method.

maade93791 commented 1 year ago

It might be a AP/Radius server misconfiguration or certificate not being compatible with Android 13+. See https://source.android.com/docs/core/connect/wifi-tofu#background

flawedworld commented 1 year ago

Please test this on QPR2 - the latest release.

girlbossceo commented 1 year ago

Pinging again, is this still an issue on the latest GrapheneOS release?

girlbossceo commented 1 year ago

Going to assume this is fixed as of QPR2 Android 13 due to no response, no one else has reported this issue recently, and we're unable to reproduce this on our end.

If this is still an issue let us know but we need very clear reproduction steps and your environment and configuration.