Hi, I have tried to add EAP-TLS support to my working configuration with PEAP/MSCHAPv2, following: http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-microsoft... First it complains (/etc/freeradius/sites-enabled/inner-tunnel[26]: Unknown Auth-Type "inner-eap" in authenticate sub-section) about having innereap in the authenticate section of the inner-tunnel, if I leave eap (which I think is correct?!) Then the EAP authentication stops with: (480) eap: Peer sent packet with method EAP NAK (3) (480) eap: Peer NAK'd asking for unsupported EAP type TLS (13), skipping... (480) eap: ERROR: No mutually acceptable types found Which should mean that the inner-eap config file is not working? Currently the inner-eap config looks like that: eap inner-eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no mschapv2 { } tls-config tls-inner { private_key_file = ${raddbdir}/tls-certs/vpn.key certificate_file = ${raddbdir}/tls-certs/vpn.crt ca_file = ${raddbdir}/tls-certs/ca.pem dh_file = ${raddbdir}/tls-certs/dh.pem random_file = /dev/urandom fragment_size = 1024 check_crl = no cipher_list = "DEFAULT" } tls { tls = tls-inner } } I am not sure about the tls-config, the sample files use the tls config like that for the eap file, but the inner-eap sitll has the config directly in the tls sections - anyways, I tried both and same result. Additionally mschapv2 just continues to work, if I add it, or remove it, no change. I'm using: radiusd: FreeRADIUS Version 3.0.20 (git #d94c953), for host x86_64-pc-linux-gnu FreeRADIUS Version 3.0.20 I also read that there's a new option "inner_eap_module" for the PEAP section inside eap, but I can't figure out if that's actually in 3.0.20 or not ... Can someone provide a working config for PEAP/EAP-TLS? Can someone describe why my config is not working? Thanks Thomas
On Dec 1, 2020, at 3:45 PM, Thomas Rosenstein via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I have tried to add EAP-TLS support to my working configuration with PEAP/MSCHAPv2, following: http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-microsoft...
That's very old, and very likely wrong. I just don't trust third-party sites. The advice is usually out of date, confusing, incorrect, or all 3.
First it complains (/etc/freeradius/sites-enabled/inner-tunnel[26]: Unknown Auth-Type "inner-eap" in authenticate sub-section) about having innereap in the authenticate section of the inner-tunnel, if I leave eap (which I think is correct?!)
It's not good to make random changes without fully understanding what's going on. i.e. adding "inner-eap" in one place, but not another.
Then the EAP authentication stops with:
(480) eap: Peer sent packet with method EAP NAK (3) (480) eap: Peer NAK'd asking for unsupported EAP type TLS (13), skipping... (480) eap: ERROR: No mutually acceptable types found
You disabled "tls" in the "eap" module.
Which should mean that the inner-eap config file is not working? Currently the inner-eap config looks like that:
No. It means that the "eap" method is running. Not "inner-eap". And PLEASE look at the debug log. ALL OF IT. Looking 480 packets in isn't necessary. Look at ONE authentication attempt. It's maybe 16 packets. See the documentation on my web site for testing EAP: http://deployingradius.com
I am not sure about the tls-config, the sample files use the tls config like that for the eap file, but the inner-eap sitll has the config directly in the tls sections - anyways, I tried both and same result. Additionally mschapv2 just continues to work, if I add it, or remove it, no change.
Yes... making random changes to "see what works". This isn't the recommended approach.
I'm using:
radiusd: FreeRADIUS Version 3.0.20 (git #d94c953), for host x86_64-pc-linux-gnu FreeRADIUS Version 3.0.20
You'll have to grab the v3.0.x branch from GitHub in order to do PEAP/EAP-TLS. We've put some fixes in which make it easier to do. 3.0.20 will work, but will require a bit more effort than should be necessary.
I also read that there's a new option "inner_eap_module" for the PEAP section inside eap, but I can't figure out if that's actually in 3.0.20 or not ...
There's no such option. The configuration items are documented extensively.
Can someone provide a working config for PEAP/EAP-TLS?
* use v3.0.x from github * use the default config * add in certs to raddb/certs/ * test PEAP / EAP-TLS using eapol_test It *will* work.
Can someone describe why my config is not working?
If you delete 99% of the debug log, no. But even the piece you posted above shows that you didn't enable EAP-TLS. Alan DeKok.
On 01/12/2020 21:37, Alan DeKok wrote:
On Dec 1, 2020, at 3:45 PM, Thomas Rosenstein via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I have tried to add EAP-TLS support to my working configuration with PEAP/MSCHAPv2, following: http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-microsoft...
That's very old, and very likely wrong. I just don't trust third-party sites. The advice is usually out of date, confusing, incorrect, or all 3.
That's my site ;-P The info there is about the only place on the web that describes how PEAP/EAP-TLS works, or at least it was when written. It is old now, but the config still looks pretty correct. As it says, it's the fragment_size thing that actually matters.
Can someone provide a working config for PEAP/EAP-TLS?
Honestly, why? There's no point now unless you want to slow your authentication down by adding more round trips. The first paragraph on the site says as much. Microsoft have removed SoH from Windows 10. There's about no other reason I can think of to do both PEAP and EAP-TLS. Just use EAP-TLS on its own. It's simpler, and faster. -- Matthew
On Dec 1, 2020, at 6:08 PM, Matthew Newton <mcn@freeradius.org> wrote:
That's my site ;-P
Then it's perfect and magical. :)
The info there is about the only place on the web that describes how PEAP/EAP-TLS works, or at least it was when written. It is old now, but the config still looks pretty correct. As it says, it's the fragment_size thing that actually matters.
OK.
Can someone provide a working config for PEAP/EAP-TLS?
Honestly, why? There's no point now unless you want to slow your authentication down by adding more round trips. The first paragraph on the site says as much.
Microsoft have removed SoH from Windows 10. There's about no other reason I can think of to do both PEAP and EAP-TLS.
Just use EAP-TLS on its own. It's simpler, and faster.
True. :) Alan DeKok.
On 01/12/2020 21:37, Alan DeKok wrote:
On Dec 1, 2020, at 3:45 PM, Thomas Rosenstein via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I have tried to add EAP-TLS support to my working configuration with PEAP/MSCHAPv2, following: http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-microsoft...
That's very old, and very likely wrong. I just don't trust third-party sites. The advice is usually out of date, confusing, incorrect, or all 3.
That's my site ;-P
The info there is about the only place on the web that describes how PEAP/EAP-TLS works, or at least it was when written. It is old now, but the config still looks pretty correct. As it says, it's the fragment_size thing that actually matters.
Yeah, it actually doesn't work .. so no idea how to actually configure PEAP/EAP-TLS.
Can someone provide a working config for PEAP/EAP-TLS?
Honestly, why? There's no point now unless you want to slow your authentication down by adding more round trips. The first paragraph on the site says as much.
Microsoft have removed SoH from Windows 10. There's about no other reason I can think of to do both PEAP and EAP-TLS.
Just use EAP-TLS on its own. It's simpler, and faster.
Seems so then, tried now with freeradius 3.0.21 and EAP-TLS, and that just worked. So thanks for the pointer to just use EAP-TLS.
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Matthew Newton -
Thomas Rosenstein