Connecting your android device to WPA enterprise wireless network secured with Certificates & FreeRadius

Covering Android 2.3.5, 4.1 and 4.3


This carries on from Paranoid Penguin - Securing WLANs with WPA and FreeRADIUS Part I to III by Mick Bauer
- http://www.linuxjournal.com/article/8017 which is effectively authentication using EAP-TTLS using SSL derived certs.
 

For phones running android 2.3.5

Once you have working Linux or Windows XP clients connected to your Wifi router via WPA/WPA2 enterprise,
follow these instructions to connect your phone. You will need the PEM pass phrase or password used to protect the client keys. You will probably need internet access and a way to get files onto the phones SD card.

1. Setup storage

Setup credential storage password on your droid (settings -> location & security settings -> use secure cred).
Set storage password cred first in Location & security -> set password. - credential storage password.....)
The credential password will be needed every time you power up your phone and in my experience, you are not promoted to enter it when switched on.

2. Install certs
Convert cacert.pm (signing authority, Trusted Root CA etc)
with http://www.realmb.com/droidCert/ Point output URL into a browser on your phone to install it.
(Note as with WPA supplicant, you don't need the cacert.pem so don't import it if your getting 'No certificate to install').
Get the user cert/key .p12 file and copy to phones SD card (root folder).
Import this cert with  Install from SD card (same menu above). The password will be the export password.

Give the certificate a meaning full name rather than the garbage proposed in Name the certificate.

3. Install google play free app wifiace (WiFi Advanced Config Editor). This may not be essential but is included to customise some settings.
4. In settings -> wireless, tap on the WPA/WPA2 enterprise AP and start the config, particularly the setting for certs.
5. Open up app wifi ace. In enterprise config...
 EAP->TLS
 Phase2 -> MSCHAPV2
 User certificate -> see step 2
 identity/anon -> root (or some other username, don't leave blank but its not fussy what's used).
 password -> (certificate export/protection password)
 Check client cert/ca cert/priv key have keystore:// in wifi ace if having problems.

Auth protocol -> seems to default to LEAP.

Guide valid for Android 2.5.3 (gingerbread).

(see, for some more info http://prtl.uhcl.edu/portal/page/portal/UCT/New_UCT/documentation/reap/UHCL-Android-Wireless.pdf )
Guide

For Tablets running android 4.1

1. Setup security
So that certificate storage will work, you must set a screen lock pin or password. In settings -> security -> screen security -> screen lock.
This is equivalent to credential storage on earlier android builds.

2. Install certs
Get the user cert/key .p12 file and copy to phones/tablet SD card (root folder) i.e. in /sdcard. This can be done over bluetooth,
mass storage (USB), web over alternative wifi connection.
Import this cert with  Install from SD card in settings -> security -> install from SD card. The certificate file name will
become the user certificate name.

3.Setup wifi. In settings -> Wi-Fi, tap on the 802.1x (WPA/WPA2 enterprise) AP you wish to connect to.
 EAP method->TLS
 Phase2 auth -> MSCHAPV2
 CA certificate -> unspecified
 User certificate -> see step 2
 identity/anon -> root (or some other username, don't leave blank but its not fussy what's used).
 password -> certificate password set at create or PEM passphrase

For phones running android 4.3

1. Setup security
So that certificate storage will work, you must set a screen lock pin, password or pattern etc. In settings -> My device -> Lock screen -> screen lock.
This is equivalent to credential storage on earlier android builds.

2. Prepare certs.
You need a .p12 file with client cert and client private key as per previous examples. Unlike the other droids, Android 4.3 needs the CA certificate. This needs to be taken from your signing authority and converted to binary file with a .crt extension. In linux, use the command:
openssl x509 -inform PEM -outform DER -in cacert.pem -out CA.crt
where cacert.pem is your certificate authorities certificate.

3. Copy certificates and install
Copy the .p12 cert file and the CA.crt file to the root of the device storage
(ie not external SD card). In settings -> More -> securtiy, install from device storage. Put in the password when asked. Credential use in this case will be wifi. Make sure you use meaning full names when promted. Be aware that the droid deletes the cert files from the root file system once the are installed so always use copies.

4.Setup wifi. In settings -> Wi-Fi, tap on the 802.1x (WPA/WPA2 enterprise) AP you wish to connect to.
 EAP method->TLS
 CA certificate -> see step 3. (CA.crt)
 User certificate -> see step 3 (.p12 file)
 identity -> root-galaxy-s5 (or some other username, don't leave blank and avoid @).
 no further password or pass phrase is required.

You should be ready to connect and go!

(help from http://android.stackexchange.com/questions/4053/how-do-you-import-ca-certificates-onto-an-android-phone for step 2.)

Troubleshooting.
Authentication error / TLS Alert read:fatal:bad certificate:
Make sure your new toy droid has correct time and date, otherwise, the certificate validity dates my silently clash.

For devices running android 5.1

Lollipop is the same as 4.3 above but Security is in More or Personal in settings. On TV boxes, screen lock passwords are usually disabled so to get repeatable working WPA enterprise, you will have to go into settings -> security and enter the pin pr password to unlock credentials whenever you power up.

- To go back to my Homepage


surreptitious tags: WPA/WPA2