PEAP / EAP-TLS

Alan DeKok aland at deployingradius.com
Tue Dec 1 22:37:44 CET 2020 

On Dec 1, 2020, at 3:45 PM, Thomas Rosenstein via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> I have tried to add EAP-TLS support to my working configuration with PEAP/MSCHAPv2, following: http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-microsoft-soh/

  That's very old, and very likely wrong.  I just don't trust third-party sites.  The advice is usually out of date, confusing, incorrect, or all 3.

> First it complains (/etc/freeradius/sites-enabled/inner-tunnel[26]: Unknown Auth-Type "inner-eap" in authenticate sub-section) about having innereap in the authenticate section of the inner-tunnel, if I leave eap (which I think is correct?!)

  It's not good to make random changes without fully understanding what's going on.  i.e. adding "inner-eap" in one place, but not another.

> Then the EAP authentication stops with:
> 
> (480) eap: Peer sent packet with method EAP NAK (3)
> (480) eap: Peer NAK'd asking for unsupported EAP type TLS (13), skipping...
> (480) eap: ERROR: No mutually acceptable types found

  You disabled "tls" in the "eap" module.

> Which should mean that the inner-eap config file is not working? Currently the inner-eap config looks like that:

  No.  It means that the "eap" method is running.  Not "inner-eap".

  And PLEASE look at the debug log.  ALL OF IT.  Looking 480 packets in isn't necessary.  Look at ONE authentication attempt.  It's maybe 16 packets.  See the documentation on my web site for testing EAP:  http://deployingradius.com

> I am not sure about the tls-config, the sample files use the tls config like that for the eap file, but the inner-eap sitll has the config directly in the tls sections - anyways, I tried both and same result.
> Additionally mschapv2 just continues to work, if I add it, or remove it, no change.

 Yes... making random changes to "see what works".  This isn't the recommended approach.

> I'm using:
> 
> radiusd: FreeRADIUS Version 3.0.20 (git #d94c953), for host x86_64-pc-linux-gnu
> FreeRADIUS Version 3.0.20

  You'll have to grab the v3.0.x branch from GitHub in order to do PEAP/EAP-TLS.  We've put some fixes in which make it easier to do.  3.0.20 will work, but will require a bit more effort than should be necessary.

> I also read that there's a new option "inner_eap_module" for the PEAP section inside eap, but I can't figure out if that's actually in 3.0.20 or not ...

  There's no such option.  The configuration items are documented extensively.

> Can someone provide a working config for PEAP/EAP-TLS?

* use v3.0.x from github
* use the default config
* add in certs to raddb/certs/
* test PEAP / EAP-TLS using eapol_test

  It *will* work.

> Can someone describe why my config is not working?

  If you delete 99% of the debug log, no.  But even the piece you posted above shows that you didn't enable EAP-TLS.

  Alan DeKok.

More information about the Freeradius-Users mailing list