On 01/12/2020 21:37, Alan DeKok wrote:
On Dec 1, 2020, at 3:45 PM, Thomas Rosenstein via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I have tried to add EAP-TLS support to my working configuration with PEAP/MSCHAPv2, following: http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-microsoft...
That's very old, and very likely wrong. I just don't trust third-party sites. The advice is usually out of date, confusing, incorrect, or all 3.
That's my site ;-P The info there is about the only place on the web that describes how PEAP/EAP-TLS works, or at least it was when written. It is old now, but the config still looks pretty correct. As it says, it's the fragment_size thing that actually matters.
Can someone provide a working config for PEAP/EAP-TLS?
Honestly, why? There's no point now unless you want to slow your authentication down by adding more round trips. The first paragraph on the site says as much. Microsoft have removed SoH from Windows 10. There's about no other reason I can think of to do both PEAP and EAP-TLS. Just use EAP-TLS on its own. It's simpler, and faster. -- Matthew