PEAP / EAP-TLS
Thomas Rosenstein
thomas.rosenstein at creamfinance.com
Wed Dec 2 08:42:02 CET 2020
> On 01/12/2020 21:37, Alan DeKok wrote:
>> On Dec 1, 2020, at 3:45 PM, Thomas Rosenstein via Freeradius-Users
>> <freeradius-users at lists.freeradius.org> wrote:
>>>
>>> I have tried to add EAP-TLS support to my working configuration with
>>> PEAP/MSCHAPv2, following:
>>> http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-microsoft-soh/
>>
>> That's very old, and very likely wrong. I just don't trust
>> third-party sites. The advice is usually out of date, confusing,
>> incorrect, or all 3.
>
> That's my site ;-P
>
> The info there is about the only place on the web that describes how
> PEAP/EAP-TLS works, or at least it was when written. It is old now,
> but the config still looks pretty correct. As it says, it's the
> fragment_size thing that actually matters.
Yeah, it actually doesn't work .. so no idea how to actually configure
PEAP/EAP-TLS.
>
>>> Can someone provide a working config for PEAP/EAP-TLS?
>
> Honestly, why? There's no point now unless you want to slow your
> authentication down by adding more round trips. The first paragraph on
> the site says as much.
>
> Microsoft have removed SoH from Windows 10. There's about no other
> reason I can think of to do both PEAP and EAP-TLS.
>
> Just use EAP-TLS on its own. It's simpler, and faster.
Seems so then, tried now with freeradius 3.0.21 and EAP-TLS, and that
just worked. So thanks for the pointer to just use EAP-TLS.
>
> --
> Matthew
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list