On Nov 24, 2020, at 10:10 AM, Jochem Sparla <J.Sparla@iolan.com> wrote:
It's the 'CipherString = DEFAULT@SECLEVEL=1' that makes a difference.
You can do this in FreeRADIUS. See the "eap" module configuration. Set "cipher_list" to that value, and it will work.
The 'MinProtocol = TLSv1.2' can be left out of openssl.cnf, as long as 'tls_min_version' is set in FreeRADIUS eap config.
It now works, with 'eap_peap: <<< recv UNKNOWN TLS VERSION ?0304?' and using 'TLS 1.0' further on according to the debug logging. I'm sure it's not the best or prettiest way, but I do not understand enough of all the techniques and protocols to make it better. Like solving why it still says TLS 1.3 on the first message, and why it doesn't use TLS 1.1/1.2 even though those are enabled in Windows 7, and why the process just stops when forcing TLS 1.1/1.2 by disabling TLS 1.0 in Windows.
Windows is magic. :( Alan DeKok.