Martin Rowe wrote:
The specific issue as far as I can troubleshoot is that the client and server can't agree on a shared TLS cipher. I'm seeing these lines in my logs every time I attempt a connection:
You'll probably need to update the "cipher_list" in the "eap" module configuration. Windows is picky...
But that is as far as I can get. I've tried disabling every option I can in the configs and many variations on the Windows side, but they all stop at the same point. There is no limit I have set on which TLS ciphers can be used (cipher_list in eap{tls{}} is not used, and gave the same error when set to DEFAULT).
The DEFAULT list of ciphers is old. Your OpenSSL libraries may not include the new ciphers that Windows expects. Try setting it to "ALL". If that doesn't work, it's more difficult to say what's wrong. Windows is "helpful" and doesn't produce reasonable error messages about what it expects.
My only other guess is there is something wrong with the certificates, but I'm not sure what might be wrong. I have copied both my root and my radius intermediate CA certificates onto the Windows client along with the client certificate and key. They are installed and the chain is valid according to the Windows Credential Manager.
Then that should work. Does PEAP work? Alan DeKok.