W dniu 28.06.2022 o 15:04, Kamil Jońca pisze:
Matthew Newton <mcn@freeradius.org> writes:
On 28/06/2022 08:41, Kamil Jońca wrote:
Debian box with debian radius packages. There is old phone (Samsung Wave) which was configured to use PEAP0 to connect to wifi.
If it's an old phone you might want to check OpenSSL ciphers / TLS versions. That's the most likely.
I have some older devices and I have to enable some strange ciphers :(
Of course I can provide logs, but they are quite huge.
Please send logs of both. We don't have time to make random guesses.
Just from `freeradius -X` (not -xxx, -Xx, etc)
3.0.25 https://drive.google.com/file/d/1uswz1jQRyAE_J7b9tu8Hrf4HmZqkT0NW/view?usp=s... 3.2 https://drive.google.com/file/d/15ONVo-KrM0Mq6Jrwu0PlKBDFMKTBpDgX/view?usp=s...
KJ
From provided logs, it looks like not the client, but the server insists on degrading TLS to v1.0 in the handshake. Maybe trying with the wider range of acceptable TLS versions in eap module could solve the issue: tls_min_version = "1.0" tls_max_version = "1.3" FreeRadius 3.2.0 works perfectly for this range for eap-ttls performing tunnelled authentications and servicing clients capable of TLSv1.0, TLSv1.2 and TLSv1.3 methods. -- Marek Zarychta