On Jun 16, 2020, at 8:39 AM, Sergio NNX <sfhacker@hotmail.com> wrote:
We have recently upgraded from 3.0.18 to 3.0.22.
We are running some EAP tests, in particular EAP-TLS using eapol_test.
eapol_test tool complains with this message:
'Locally derived EAP Session-Id does not match EAP-Key-Name from server'
It works in my tests. However...
Any pointers would be greatly appreciated. ... (9) eap_tls: <<< recv TLS 1.3 [length 0001]
Don't use TLS 1.3. In mods-enabled/eap, set: tls_max_version = "1.2" There is currently no standard for using TLS 1.3 with EAP-TLS. It's being worked on, and should be available late this year. i.e. *no one* implements TLS 1.3 for EAP-TLS properly. Because the standard isn't finished. Hostap has implemented support for TLS 1.3 according to the current proposal , but the standard may change. FreeRADIUS doesn't even try to implement the standard yet. We hope to have preliminary support for TLS 1.3 in the next release. Alan DeKok.