PEAP with TLS authentication issues, Freeradius V 3.0.20

Alan DeKok aland at deployingradius.com
Mon Aug 17 21:45:18 CEST 2020


On Aug 17, 2020, at 10:23 AM, Thomas Wagner <t.wagner at wenzel-elektronik.de> wrote:
> 
> We're in the process of setting up a FreeRadius Server version 3.0.20 on Ubuntu 20.04. We have to support client authentication via both PEAP and TTLS as outer encryption and MSCHAPV2 and TLS for inner encryption (only supplicants with wired connections for now).

  It was working at one point.  But... we tested it as part of adding support for TLS 1.3.  And PEAP / TLS is no longer working.  After a few days of poking at it, it's not clear why.

  We'll continue to see if we can track it down.

> Now, in the current configuration TTLS works with MSCHAPV2 and TLS. PEAP works with MSCHAPV2 but not with TLS. The freeradius log (see below) states "Failed to authenticate the user" and "&Module-Failure-Message := &request:Module-Failure-Message -> 'eap: rlm_eap (EAP): No EAP session matching state 0x73ff912c72e19cba'". However, the certificates and user/password-settings are identical over all 4 combinations of PEAP/TTLS and MSCHAPV2/TLS for our current testing purposes. So the user authentication should (in theory) work, since PEAP works with MSCHAPV2 and TLS works with TTLS and they currently share users, passwords and certificates.

  The underlying protocols are magically different.  Because "PEAP".  :(

  Alan DeKok.




More information about the Freeradius-Users mailing list