On Oct 29, 2020, at 5:14 AM, Sebastian <radius@wehle.dev> wrote:
I try to do an 802.1x authentication of Cisco access points on Aruba switches against Freeradius 3.0.21-1 under Debian 10.6.
The APs prefer to do EAP-FAST so I enabled the relevant parts in modules-enabled/eap but whenever a EAP-FAST request arrives now, it throws this: (2) eap: Calling submodule eap_fast to process data (2) eap_fast: Authenticate (2) eap_fast: Continuing EAP-TLS (2) eap_fast: [eaptls verify] = ok (2) eap_fast: Done initial handshake (2) eap_fast: (other): before SSL initialization (2) eap_fast: >>> send TLS 1.3 [length 0002]
There is no standard for using TLS 1.3 with *any* EAP method. The EAP-FAST implementation in FreeRADIUS uses only TLS 1.1.
I tried to change tls_max_version from 1.2 to 1.3 but that didn't change anything.
Change it to 1.1. Alan DeKok.