EAP - TLS 1.2 Support
Stefan Winter
stefan.winter at restena.lu
Sun Jan 19 20:11:33 CET 2014
Hi,
the primary issue is the cipher list mismatch, as Alan noted. But you
should also pay attention here:
> Sat Jan 18 20:02:05 2014 : Debug: ssl : OpenSSL 1.0.0-fips 29 Mar 2010
>
> SSL Version Details
> ==============
> OpenSSL 1.0.1e-fips 11 Feb 2013
Your OpenSSL library version is not what you think it is.
> CONFIGURATION:
> ==============
> Sorry if we missed any additional documentation, for EAP TLS 1.2 authentication, we updated our eap configuration cipher:
> cipher_list = "AES256-SHA256"
Ciphers and TLS versions are only very mildly coupled. Butchering the
cipher list is not a very healthy approach.
> When the modem sends the protocol as TLS 1.0 - it authenticates successfully with the cipher_list "AES256-SHA256:AES128-SHA" or cipher_list set to "DEFAULT";
Good. Then set cipher_list to "DEFAULT". Or if you want only "good"
ciphers try something along the lines of "ALL:!MEDIUM:!LOW" to exclude
weak and medium-strength ciphers.
There's plenty of good documentation on the use of ciphers for Apache
Ask Google and inspire yourself.
> But, when modem sends the protocol as TLS 2.0; the authentication fails in EAP module, with following error:
There is no TLS 2.0.
Greetings,
Stefan Winter
More information about the Freeradius-Users
mailing list