On Sep 17, 2024, at 12:46 PM, Rodrigo Abrantes Antunes <rodrigoantunes@pelotas.ifsul.edu.br> wrote:
## REJECTED .. (911) eap_peap: (TLS) send TLS 1.2 Alert, fatal protocol_version (911) eap_peap: ERROR: (TLS) Alert write:fatal:protocol version
Ah, that's the other end saying it doesn't like the protocol version which FreeRADIUS is using. It should negotiate a mutually compatible TLS version, but... whatever.
Doesn't cipher_list = "DEFAULT@SECLEVEL=0" says the server to support the old ciphers?
That configuratio tells OpenSSL to support the old ciphers. Mostly. Some newer OS distributions have removed support for old TLS versions from OpenSSL. You will need to investigate your local OS to see what it supports, and what TLS versions are supported by the OpenSSL libraries. Again... this isn't a FreeRADIUS issue. No amount of poking FreeRADIUS will get OpenSSL to support TLS 1.0 with triple-DES, if that's what the clients are using. You night just need to upgrade the client, or build a custom version of OpenSSL.
Configure OpenSSL (e.g. cipher_list) so that it works with a new version of OpenSSL. Or, use an old version of OpenSSL. There really aren't many other choices.
What are the other choices possible?
Live with the fact the some devices won't work, because they're too old. Alan DeKok.