Thomas Rosenstein thomas.rosenstein at
Wed Dec 2 08:42:02 CET 2020

> On 01/12/2020 21:37, Alan DeKok wrote:
>> On Dec 1, 2020, at 3:45 PM, Thomas Rosenstein via Freeradius-Users 
>> <freeradius-users at> wrote:
>>> I have tried to add EAP-TLS support to my working configuration with 
>>> PEAP/MSCHAPv2, following: 
>>    That's very old, and very likely wrong.  I just don't trust 
>> third-party sites.  The advice is usually out of date, confusing, 
>> incorrect, or all 3.
> That's my site ;-P
> The info there is about the only place on the web that describes how 
> PEAP/EAP-TLS works, or at least it was when written. It is old now, 
> but the config still looks pretty correct. As it says, it's the 
> fragment_size thing that actually matters.

Yeah, it actually doesn't work .. so no idea how to actually configure 

>>> Can someone provide a working config for PEAP/EAP-TLS?
> Honestly, why? There's no point now unless you want to slow your 
> authentication down by adding more round trips. The first paragraph on 
> the site says as much.
> Microsoft have removed SoH from Windows 10. There's about no other 
> reason I can think of to do both PEAP and EAP-TLS.
> Just use EAP-TLS on its own. It's simpler, and faster.

Seems so then, tried now with freeradius 3.0.21 and EAP-TLS, and that 
just worked. So thanks for the pointer to just use EAP-TLS.

> -- 
> Matthew
> -
> List info/subscribe/unsubscribe? See 

More information about the Freeradius-Users mailing list