EAP-PEAP - difference between 3.0.25 and 3.2
Kamil Jońca
kjonca at op.pl
Tue Jun 28 17:50:21 UTC 2022
Alan DeKok <aland at deployingradius.com> writes:
> On Jun 28, 2022, at 9:04 AM, Kamil Jońca <kjonca at op.pl> wrote:
>> 3.0.25
>> https://drive.google.com/file/d/1uswz1jQRyAE_J7b9tu8Hrf4HmZqkT0NW/view?usp=sharing
>> 3.2
>> https://drive.google.com/file/d/15ONVo-KrM0Mq6Jrwu0PlKBDFMKTBpDgX/view?usp=sharing
>
> From a quick look, with 3.0.25, the client sends a bunch of information after the TLS session has been established. This is the initial "inner EAP" data.
>
> For 3.2.0, the client sends nothing after the TLS session has been established. For FreeRADIUS sends an ACK "please send more data", and the client sends an ACK "no, you send more data". And then that process repeats.
>
> I suspect that whatever is going wrong is likely in the TLS layer. Are you running both 3.0.25 and 3.2.0 on the same machine, with the same OpenSSL libraries, etc? Or are they on different machines?
I do not know if this is important, but you probably see:
--8<---------------cut here---------------start------------->8---
cipher_list = "DEFAULT:TLSv1.0:AECDH-AES256-SHA at SECLEVEL=0:AECDH-AES128-SHA at SECLEVEL=0"
--8<---------------cut here---------------end--------------->8---
Thesee "SECLEVEL=0" (and SECLEVEL pragma) were needed because of another
(not so old) devices which suppport these ciphers.
In 3.0.25 they were not needed, it was enough to have
--8<---------------cut here---------------start------------->8---
cipher_list = "DEFAULT:TLSv1.0"
--8<---------------cut here---------------end--------------->8---
maybe this observation is relevant?
KJ
--
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
More information about the Freeradius-Users
mailing list