EAP-TLS Suggestions on FreeRadius

Alan DeKok aland at deployingradius.com
Sat Nov 1 14:07:49 CET 2014


Max Freeman wrote:
> I have been working with FreeRadius and reading these threads for
> sometime now trying to figure out how to properly configure and
> implement EAP-TLS using ECDHE-ECDSA ciphers.  

  Set the right parameters for OpenSSL.

> I am writing because perhaps there is a FreeRadius setting/ concept that
> I have been foolishly neglecting.

  All of the required OpenSSL setting are in the FreeRADIUS config
files.  And documented there.

> The client (wpa_Supplicant) sends FreeRadius a Client Hello over TLS 1.0
>  (could perhaps cause problems with ECC?) and then FreeRadius Rejects it
> because of and "SSL3_CLIENT_HELLO: no shared cipher."  However, I have
> confirmed that the latest version of openssl supports my cipher.  

  Use wireshark to look at the packets.  It should be able to decode
both sides of the EAP-TLS conversation, and show you which ciphers are
being used.

> Does the EAP.conf/ FR have anything to do with Elliptic Curve's and
> their shared cipher besides putting in "ALL" for the cipher and
> "secptxxx" for the curve?

  That should be it.  Depending on OpenSSL magic, maybe "ALL" doesn't
mean "ALL".  Try listing the ciphers explicitly.

> I have also confirmed through OpenSSL's   s_client/ s_server   program
> that my certificates are set up properly and ONLY succeed with TLS1_2
> and not TLS1.0 or TLS1.1.

  That tests the local OpenSSL.  It doesn't test the remote end.

  It's possible that the remote end doesn't support the ciphers.

  Alan DeKok.


More information about the Freeradius-Users mailing list