PEAP / EAP-TLS
Thomas Rosenstein
thomas.rosenstein at creamfinance.com
Tue Dec 1 21:45:14 CET 2020
Hi,
I have tried to add EAP-TLS support to my working configuration with
PEAP/MSCHAPv2, following:
http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-microsoft-soh/
First it complains (/etc/freeradius/sites-enabled/inner-tunnel[26]:
Unknown Auth-Type "inner-eap" in authenticate sub-section) about having
innereap in the authenticate section of the inner-tunnel, if I leave eap
(which I think is correct?!)
Then the EAP authentication stops with:
(480) eap: Peer sent packet with method EAP NAK (3)
(480) eap: Peer NAK'd asking for unsupported EAP type TLS (13),
skipping...
(480) eap: ERROR: No mutually acceptable types found
Which should mean that the inner-eap config file is not working?
Currently the inner-eap config looks like that:
eap inner-eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
mschapv2 {
}
tls-config tls-inner {
private_key_file = ${raddbdir}/tls-certs/vpn.key
certificate_file = ${raddbdir}/tls-certs/vpn.crt
ca_file = ${raddbdir}/tls-certs/ca.pem
dh_file = ${raddbdir}/tls-certs/dh.pem
random_file = /dev/urandom
fragment_size = 1024
check_crl = no
cipher_list = "DEFAULT"
}
tls {
tls = tls-inner
}
}
I am not sure about the tls-config, the sample files use the tls config
like that for the eap file, but the inner-eap sitll has the config
directly in the tls sections - anyways, I tried both and same result.
Additionally mschapv2 just continues to work, if I add it, or remove it,
no change.
I'm using:
radiusd: FreeRADIUS Version 3.0.20 (git #d94c953), for host
x86_64-pc-linux-gnu
FreeRADIUS Version 3.0.20
I also read that there's a new option "inner_eap_module" for the PEAP
section inside eap, but I can't figure out if that's actually in 3.0.20
or not ...
Can someone provide a working config for PEAP/EAP-TLS?
Can someone describe why my config is not working?
Thanks
Thomas
More information about the Freeradius-Users
mailing list