Android 11 and EAP-TLS Freeradius 3.0

How to update Freeradius 3.0 to cooperation with Android 11

I decided to write this article because I spent a few hours trying to force Android 11 to cooperate with WPA2-Enterprise EAP-TLS accesspoint because as we know in Android 11 was a change which forces to fill in domain name parameter and if you used prevoiusly in Android 10 EAP-TLS with Freeradius 3.0 in which domain name was empty then you will have a problem. I had a situtaion in which after upgrade to Android 11 connection to WPA2-Enterprise still worked because the configuration was saved by Android 10 and used by Android 11. But after removing old config and trying to re-add it you have an issue.
In the internet I could read, that the CN field from CA cert is compared but this is not true and actually you have to update CN field from server crt.

I assume that you use certificates from /etc/freeradius/3.0/cert directory in your configuration. Here are the steps to configure Freeradius for Android 11

  • Login as root to console on Freeradius server.
  • cd /etc/freeradius/3.0/certs
  • delete all server.* files with exception of server.cnf
  • nano server.cnf and go to the end where commonName property is defined and put there your domain name for example then save and exit
  • execute commnad make server
  • chown freerad.freerad server.*
  • systemctl restart freeradius
You do not have to regenarete CA cert/keys or client certs/keys which are irrelevant to domain checking. Now you can connect to WPA2-Enterprise EAP-TLS network on Android 11 by putting in domian name param

Have fun.