[FR 3.0.22] Locally derived EAP Session-Id does not match EAP-Key-Name from server

Alan DeKok aland at deployingradius.com
Tue Jun 16 14:51:54 CEST 2020

On Jun 16, 2020, at 8:39 AM, Sergio NNX <sfhacker at hotmail.com> wrote:
> We have recently upgraded from 3.0.18 to 3.0.22.
> We are running some EAP tests, in particular EAP-TLS using eapol_test.
> eapol_test tool complains with this message:
>      'Locally derived EAP Session-Id does not match EAP-Key-Name from server'

  It works in my tests.  However...

> Any pointers would be greatly appreciated.
> (9) eap_tls: <<< recv TLS 1.3  [length 0001]

  Don't use TLS 1.3.  In mods-enabled/eap, set:

		tls_max_version = "1.2"

  There is currently no standard for using TLS 1.3 with EAP-TLS.  It's being worked on, and should be available late this year.

  i.e. *no one* implements TLS 1.3 for EAP-TLS properly.  Because the standard isn't finished.

  Hostap has implemented support for TLS 1.3 according to the current proposal , but the standard may change.  FreeRADIUS doesn't even try to implement the standard yet.

  We hope to have preliminary support for TLS 1.3 in the next release.

  Alan DeKok.

More information about the Freeradius-Users mailing list