TTLS EAP “unsupported protocol” error
Trying to get Cambium 450 equipment to work with TTLS EAP and FreeRadius. Specifically FreeRadius 3.2.1 on Debian 12.5 Following all the information online, I’ve setup radius including creating my own certificates and tested the setup using the eapol_test tool. Results AOK. But tests with the 450 Cambium equipment (20.1 firmware) fail at the ssl handshake with an error message in the log: “unsupported protocol” I was able to get it to work by forcing TLS 1.0 (setting min and max TLS to 1.0 and setting cipher_list to DEFAULT@SECLEVEL=0). Obviously not a good thing to do but it does suggest a TLS version issue. My question to the group is this simply a matter of what Cambium supports (TLS wise) or is it possible I have something wrong on the FreeRadius side?
On Mar 4, 2024, at 3:10 PM, Bill Schoolfield <bill@billmax.com> wrote:
Trying to get Cambium 450 equipment to work with TTLS EAP and FreeRadius. Specifically FreeRadius 3.2.1 on Debian 12.5
Following all the information online, I’ve setup radius including creating my own certificates and tested the setup using the eapol_test tool. Results AOK.
That's good.
But tests with the 450 Cambium equipment (20.1 firmware) fail at the ssl handshake with an error message in the log: “unsupported protocol”
That's weird. The NAS / AP usually doesn't do EAP. It's the supplicant which does that.
I was able to get it to work by forcing TLS 1.0 (setting min and max TLS to 1.0 and setting cipher_list to DEFAULT@SECLEVEL=0). Obviously not a good thing to do but it does suggest a TLS version issue.
That really sounds like it's a very old supplicant.
My question to the group is this simply a matter of what Cambium supports (TLS wise) or is it possible I have something wrong on the FreeRadius side?
You don't have anything wrong on the FreeRADIUS side. Nobody should be using TLS 1.0 any more :( Alan DeKok.
participants (2)
-
Alan DeKok -
Bill Schoolfield