mschap configuration problem

[Alan DeKok]

On Jul 14, 2020, at 11:00 AM, Piviul <piviul at riminilug.it> wrote:
> 
> Alan DeKok ha scritto il 14/07/20 alle 16:17:
>> On Jul 14, 2020, at 8:53 AM, Piviul <piviul at riminilug.it> wrote:
>>> 
>>>> (30) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0048] (30) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure (30) eap_peap: ERROR: TLS Alert
>>   Windows is doing TLS 1.3.  There is no standard yet for EAP with TLS 1.3
>>   Edit mods-available/eap, and set:
>> 	tls_max_version = "1.2"
> but win 10 can connect... any way I have uncommented the option but nothing changed

  Windows 10 can connect because it's different.

  Did you restart the server after the configuration change?  Which version are you running?

  I doubt *very* much that the systems do TLS 1.3 if it's disabled on the server.

>>> and on the win7 client:
>>>> 
>>>> (14) eap_peap: <<< recv TLS 1.2  [length 0002] (14) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
>>   You didn't put the root CA onto the Windows machine.
> no, I did it; I have installed the ca.der putting it in the Trusted Root CA. Furthermore on the connection I have selected to validate server certificate and selected the certificate imported in the trusted root ca.

  Apparently it's not enough.

  Look, it's very simple.  You can believe that you configured everything perfectly AND the error messages are lying to you.  Or, you can believe that the error messages are correct, and you're missing some configuration somewhere.

> And are the same settings I've set in win10...

  Ask Microsoft how to configure their systems.

  Alan DeKok.