EAP - TLS 1.2 Support

Alan DeKok aland at deployingradius.com
Sun Jan 19 17:08:06 CET 2014


Cholleti, Hanumantha wrote:
> Wondering if FreeRadius supports EAP TLS 1.2 authentication; our understanding is, if we have the OpenSSL version that supports the TLS 1.2 ciphers and FreeRadius EAP module is configured with the TLS 1.2 cipher, it should support.

  FreeRADIUS uses OpenSSL for TLS.  So any TLS version requirements are
requirements on OpenSSL.

> Sorry if we missed any additional documentation, for EAP TLS 1.2
> authentication, we updated our eap configuration cipher:
> cipher_list = "AES256-SHA256"

  You should have more ciphers than that.

  Why break the default configuration?

> (3) ERROR: eap_tls : SSL says: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

  That's pretty definitive.  You need to configure a shared cipher.

>                                 Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
>                                 Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

 Note that those are *not* the cipher you configured above.  They have
to be *identical*, so far is I know.

  Why not use use the default cipher list?  Have you even tried?  It
should work.

  Alan DeKok.


More information about the Freeradius-Users mailing list