Thomas Rosenstein thomas.rosenstein at
Tue Dec 1 21:45:14 CET 2020


I have tried to add EAP-TLS support to my working configuration with 
PEAP/MSCHAPv2, following:

First it complains (/etc/freeradius/sites-enabled/inner-tunnel[26]: 
Unknown Auth-Type "inner-eap" in authenticate sub-section) about having 
innereap in the authenticate section of the inner-tunnel, if I leave eap 
(which I think is correct?!)

Then the EAP authentication stops with:

(480) eap: Peer sent packet with method EAP NAK (3)
(480) eap: Peer NAK'd asking for unsupported EAP type TLS (13), 
(480) eap: ERROR: No mutually acceptable types found

Which should mean that the inner-eap config file is not working? 
Currently the inner-eap config looks like that:

eap inner-eap {
   default_eap_type = tls
   timer_expire = 60
   ignore_unknown_eap_types = no
   cisco_accounting_username_bug = no

   mschapv2 {

   tls-config tls-inner {
     private_key_file = ${raddbdir}/tls-certs/vpn.key
     certificate_file = ${raddbdir}/tls-certs/vpn.crt
     ca_file = ${raddbdir}/tls-certs/ca.pem

     dh_file = ${raddbdir}/tls-certs/dh.pem

     random_file = /dev/urandom
     fragment_size = 1024

     check_crl = no
     cipher_list = "DEFAULT"

   tls {
     tls = tls-inner


I am not sure about the tls-config, the sample files use the tls config 
like that for the eap file, but the inner-eap sitll has the config 
directly in the tls sections - anyways, I tried both and same result.
Additionally mschapv2 just continues to work, if I add it, or remove it, 
no change.

I'm using:

radiusd: FreeRADIUS Version 3.0.20 (git #d94c953), for host 
FreeRADIUS Version 3.0.20

I also read that there's a new option "inner_eap_module" for the PEAP 
section inside eap, but I can't figure out if that's actually in 3.0.20 
or not ...

Can someone provide a working config for PEAP/EAP-TLS?
Can someone describe why my config is not working?


More information about the Freeradius-Users mailing list