PEAP with TLS authentication issues, Freeradius V 3.0.20
Alan DeKok
aland at deployingradius.com
Wed Aug 26 00:21:16 CEST 2020
On Aug 17, 2020, at 10:23 AM, Thomas Wagner <t.wagner at wenzel-elektronik.de> wrote:
>
> We're in the process of setting up a FreeRadius Server version 3.0.20 on Ubuntu 20.04. We have to support client authentication via both PEAP and TTLS as outer encryption and MSCHAPV2 and TLS for inner encryption (only supplicants with wired connections for now).
>
> Now, in the current configuration TTLS works with MSCHAPV2 and TLS. PEAP works with MSCHAPV2 but not with TLS. The freeradius log (see below) states "Failed to authenticate the user" and "&Module-Failure-Message := &request:Module-Failure-Message -> 'eap: rlm_eap (EAP): No EAP session matching state 0x73ff912c72e19cba'". However, the certificates and user/password-settings are identical over all 4 combinations of PEAP/TTLS and MSCHAPV2/TLS for our current testing purposes. So the user authentication should (in theory) work, since PEAP works with MSCHAPV2 and TLS works with TTLS and they currently share users, passwords and certificates.
>
> Currently, we're out of ideas how to get PEAP with TLS working. So any help is appreciated!
After some poking, the issue is that the "inner" EAP-TLS is likely using the same MTU / fragment size as the "outer" TLS.
The solution is one of two things:
a) configure the "inner-eap" module, and use it inside of the "inner-tunnel" virtual server.
It can be the same as "eap", except with a smaller fragment_size. Say 1100 instead of 1200
b) download v3.0.x from GitHub. We've put fixes in which should automagically fix it.
Alan DeKok.
More information about the Freeradius-Users
mailing list