On Mar 31, 2015, at 10:53 AM, Jouni Malinen <jkmalinen@gmail.com> wrote:
It should actually already be possible to enable this by adding phase1="tls_disable_session_ticket=0" into the network profile in wpa_supplicant/eapol_test.
That's good to know.
This workaround (of not sending session ticket) can also be disabled with eap_workaround=0, but it looks like that actually results in other issues with FreeRADIUS (mismatch in EAP-MSCHAPv2 header length when used within PEAP),
Hmm... I don't see that here. Do you have packet traces / debug logs? And the inner EAP data in PEAP is... stupid. Very, very, stupid. <sigh>
I don't know which TLS implementation is involved in the problem cases or whether the EAP server implementation manages to break this on its own. Anyway, none of the reported interop issues with TLS session ticket extension have been with FreeRADIUS.
That's good to know. Alan DeKok.