PEAP / EAP-TLS
mcn at freeradius.org
Wed Dec 2 00:08:01 CET 2020
On 01/12/2020 21:37, Alan DeKok wrote:
> On Dec 1, 2020, at 3:45 PM, Thomas Rosenstein via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> I have tried to add EAP-TLS support to my working configuration with PEAP/MSCHAPv2, following: http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-microsoft-soh/
> That's very old, and very likely wrong. I just don't trust third-party sites. The advice is usually out of date, confusing, incorrect, or all 3.
That's my site ;-P
The info there is about the only place on the web that describes how
PEAP/EAP-TLS works, or at least it was when written. It is old now, but
the config still looks pretty correct. As it says, it's the
fragment_size thing that actually matters.
>> Can someone provide a working config for PEAP/EAP-TLS?
Honestly, why? There's no point now unless you want to slow your
authentication down by adding more round trips. The first paragraph on
the site says as much.
Microsoft have removed SoH from Windows 10. There's about no other
reason I can think of to do both PEAP and EAP-TLS.
Just use EAP-TLS on its own. It's simpler, and faster.
More information about the Freeradius-Users