EAP-PEAP - difference between 3.0.25 and 3.2

Marek Zarychta zarychtam at plan-b.pwste.edu.pl
Tue Jun 28 13:41:51 UTC 2022

W dniu 28.06.2022 o 15:04, Kamil Jońca pisze:
> Matthew Newton <mcn at freeradius.org> writes:
>> On 28/06/2022 08:41, Kamil Jońca wrote:
>>> Debian box with debian radius packages.
>>> There is old phone (Samsung Wave) which was configured to use PEAP0
>>> to
>>> connect to wifi.
>> If it's an old phone you might want to check OpenSSL ciphers / TLS
>> versions. That's the most likely.
> I have some older devices and I have to enable some strange ciphers  :(
>>> Of course I can provide logs, but they are quite huge.
>> Please send logs of both. We don't have time to make random guesses.
>> Just from `freeradius -X` (not -xxx, -Xx, etc)
> 3.0.25
> https://drive.google.com/file/d/1uswz1jQRyAE_J7b9tu8Hrf4HmZqkT0NW/view?usp=sharing
> 3.2
> https://drive.google.com/file/d/15ONVo-KrM0Mq6Jrwu0PlKBDFMKTBpDgX/view?usp=sharing
> KJ

 From provided logs, it looks like not the client, but the server 
insists on degrading TLS to v1.0 in the handshake. Maybe trying with the 
wider range of acceptable TLS versions in eap module could solve the issue:
tls_min_version = "1.0"
tls_max_version = "1.3"

FreeRadius 3.2.0 works perfectly for this range for eap-ttls performing 
tunnelled authentications and servicing clients capable of TLSv1.0, 
TLSv1.2 and TLSv1.3 methods.

Marek Zarychta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20220628/3733b9e1/attachment.sig>

More information about the Freeradius-Users mailing list