PEAP MSCHAPV2 not working on FP5

As in the subject. I can’t make it to work. It works on any other phone/pc no matter the OS: Linux/Windows and Mac, but it does not work on FP5.

I go to networks, I select network:
EAP method: PEAP
Phase 2: MSCHAPV2
CA Cert: Do not validate/Added cert
Identity: {{username}}
Anonymous identity: {{empty}}
Password: {{user password}}
In advanced options I only select {{Use device MAC}} since I use MAC filtering on my firewall.

I click connect aaaaand {farting noises} it does not work. I spent last 2 days using different configurations,
I tried CA certs,
I tried User p12 certs, but for some reason not a single one can be unpacked with default or custom passwords…
I tried updating OS using Hotspot network.
I tried using different credentials that are working on other devices
I tried using credentials on other devices - they work.
I tried using different domain names
I tried creating new CA with more custom options and domains.

The phone was only unpacked. Nothing freaking works to solve this issue and it’s just a WiFi connection. I don’t want to create a new network for the Fairphone since I am using Radius to avoid 10 different networks for different vlans. So what else can I try?

Do you need to tell Radius in advance what the MAC from the phone is?
Does Radius allow new devices?

I turned off MAC filtering to test it, issue still occurs

Have you tried PWD instead of PEAP?

It saved a network, but still can’t connect.

Did you turn off MAC filtering in the firewall ánd in Radius?
Or doesn’t Radius look at MAC filtering?
What does Radius need to allow the phone?

I turned it off on the firewall, I don’t use Radius MAC filtering

Does Radius allow every new device?

It’s credential based. Radius allows any user that has correct credentials… The firewall has MAC filtering on the whole network or rather virtual network(vlan).
The credentials that I am using on this Fairphone are working perfectly fine on other devices, other OSes and even other Android phones do not have this issue.
That is why I am asking for help from the infastructure standpoint everything is working fine for 10+ devices with different OSes on those devices.

Have you tried “use system certificate”?

Screen lock set up?

With Android 13 it should actually look like this:

Screenshot_20231024-205904_Fennec1080×2160 140 KB

I don’t have screen lock,
I tried system certs. Not working

Okay I was able to fix it:
EAP: PEAP
Phase2: MSCHAPV2
CA certificate: {{CA certificate from firewall}}
Online Certificate status: Do not verify
Domain: {Common Name of the certificate - something like www.yourdomain.com or company name - I changed it when generating new cert for Radius}}
Identity: {{username}}
Anonymous identity: {{empty}}
Password: {{user password}}
Advanced in advanced I only changed “Use device MAC”

It seems that selecting
CA Cert: Do not validate, Does not allow network to be saved/used, even if correct credentials and other settings are provided.

It seems that that option is no longer supported, but is still present in the drop-down and causes some error when new network is created with that option. At least that would be my guess, more info I found on the subject: https://www.xda-developers.com/android-11-break-enterprise-wifi-connection/

In my case I needed to generate a completely new CA cert in firewall with new “Common Name” for eg. “www.example.com”
Then add it to Radius config;
Download CA.crt file;
Add it to Wi-Fi cert store on Fairphone for eg. “RadiusCERT”;
Select it from from dropdown “CA certificate” when defining new connection it will appear as saved in Wifi Cert store eg. “RadiusCERT”;
Put my custom domain(Common Name of the certificate) in Domain field: “www.example.com”;
Re-enter credentials;
Change in advanced settings to “Use device MAC” for this connection;
Click connect;
And this time it worked;