EAP fails on TLS protocol version with Windows 7, works fine with Windows 10

Alan DeKok aland at deployingradius.com
Tue Nov 24 16:18:38 CET 2020

On Nov 24, 2020, at 10:10 AM, Jochem Sparla <J.Sparla at iolan.com> wrote:
> It's the 'CipherString = DEFAULT at SECLEVEL=1' that makes a difference.

  You can do this in FreeRADIUS.  See the "eap" module configuration.  Set "cipher_list" to that value, and it will work.

> The 'MinProtocol = TLSv1.2' can be left out of openssl.cnf, as long as 'tls_min_version' is set in FreeRADIUS eap config.

> It now works, with 'eap_peap: <<< recv UNKNOWN TLS VERSION ?0304?' and using 'TLS 1.0' further on according to the debug logging.
> I'm sure it's not the best or prettiest way, but I do not understand enough of all the techniques and protocols to make it better. Like solving why it still says TLS 1.3 on the first message, and why it doesn't use TLS 1.1/1.2 even though those are enabled in Windows 7, and why the process just stops when forcing TLS 1.1/1.2 by disabling TLS 1.0 in Windows.

  Windows is magic.  :(

  Alan DeKok.

More information about the Freeradius-Users mailing list