PEAP / EAP-TLS

Matthew Newton mcn at freeradius.org
Wed Dec 2 00:08:01 CET 2020



On 01/12/2020 21:37, Alan DeKok wrote:
> On Dec 1, 2020, at 3:45 PM, Thomas Rosenstein via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>>
>> I have tried to add EAP-TLS support to my working configuration with PEAP/MSCHAPv2, following: http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-microsoft-soh/
> 
>    That's very old, and very likely wrong.  I just don't trust third-party sites.  The advice is usually out of date, confusing, incorrect, or all 3.

That's my site ;-P

The info there is about the only place on the web that describes how 
PEAP/EAP-TLS works, or at least it was when written. It is old now, but 
the config still looks pretty correct. As it says, it's the 
fragment_size thing that actually matters.

>> Can someone provide a working config for PEAP/EAP-TLS?

Honestly, why? There's no point now unless you want to slow your 
authentication down by adding more round trips. The first paragraph on 
the site says as much.

Microsoft have removed SoH from Windows 10. There's about no other 
reason I can think of to do both PEAP and EAP-TLS.

Just use EAP-TLS on its own. It's simpler, and faster.

-- 
Matthew


More information about the Freeradius-Users mailing list