Microsoft PEAP-EAP-TLS support (certificate auth with SoH)? - works!

Matthew Newton mcn4 at
Fri Jan 20 17:04:37 CET 2012


It's working!

On Fri, Jan 20, 2012 at 08:28:49AM +0100, Alan DeKok wrote:
> Matthew Newton wrote:
> > Does anyone know if FreeRADIUS now supports Microsoft
> > PEAP/EAP-TLS, i.e. when you select PEAP with Certificates in
> It's not a widely used feature.

Obviously :-) SoH is the only reasonably sane(?) reason I can
think of for doing EAP-TLS inside PEAP.

>   You'll need to set up *two* instances of the EAP module.  One for the
> outer PEAP session, and a separate one for the inner EAP.

Gotcha - thanks. That wasn't the only thing, but without doing that
it wasn't possible for it to work. Reasoning:

Ultimately, the problem was down to the fact that fragment_size in
the inner TLS (EAP-TLS) must be smaller than that of the outer
(TLS for PEAP).

With two different instances of eap, and a difference of about 50
bytes between the inner and outer fragment sizes, it all works.
I've currently set the inner to the default of 1024, and the outer
to 1200.

Apart from the tls fragment size, the rest of the eap configuration
can be literally identical. Won't do that as it's very untidy, but
it does work.

On Fri, Jan 20, 2012 at 10:50:28AM +0000, Phil Mayers wrote:
> On 01/20/2012 01:08 AM, Matthew Newton wrote:
> >Is it actually possible to do SoH with certificate-based
> >authentication, or do I have to look towards DHCP for this?
> SoH is a PEAP TLV. If the PEAP module is running, it should support
> SoH regardless of the type of inner-auth.

Yes, thanks - it's working fine. So I now have a stack of cards
that resembles:

PEAP (TLS comes up using main "eap" instantiation)
SoH (happens over PEAP, calls "soh-server" virtual server)
PEAP calls "inner-tunnel" virtual server
-> EAP-TLS (uses secondary "innereap" instantiation of eap)
-> OCSP (checks inner certificate)

For reference, setting

  EAP-TLS-Require-Client-Cert = Yes

just breaks things, as the client refuses to send a certificate at
the PEAP stage.

Thanks for the help!


Matthew Newton, Ph.D. <mcn4 at>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list