Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?

Matthew Newton mcn4 at leicester.ac.uk
Tue May 21 10:42:56 CEST 2013


On Tue, May 21, 2013 at 08:03:48AM +0100, Franks Andy (RLZ) IT Systems Engineer wrote:
> Just confirming that I've tested this in the past and it works, but I
> believe the poster of the article is dubious about a production
> environment.

Not at all - we are running it in production.

The warning at the bottom is to make you think about what you're
doing first, rather than to blindly copy my examples and then open
yourself up to security issues that you haven't thought through.
The examples are stripped down to their utter bare minimum - which
is unlikely to be what you want in production.

> When I tried it on wifi it took a second or so more to
> authenticate for some reason, so we eventually went with eap-tls
> instead because of this and because it was simpler.  I did also
> get quite a few "The EAP message did not complete" but that
> could be coincidental.

It's been running fine here with a lot of laptops for over a year
now. We usually see the "EAP did not complete" errors from bad
wireless signals or misconfigured EAP timers.

As the article says - the only real benefit is to get SoH data
from the device. If you don't want/need that, you're fine with
plain EAP-TLS (and with less round trips, it will auth faster,
too).

Cheers

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list