Re: TTLS EAP “unsupported protocol” error

[Alan DeKok]

On Mar 4, 2024, at 3:10 PM, Bill Schoolfield <bill at billmax.com> wrote:
> 
> Trying to get Cambium 450 equipment to work with TTLS EAP and FreeRadius. Specifically FreeRadius 3.2.1 on Debian 12.5
> 
> Following all the information online, I’ve setup radius including creating my own certificates and tested the setup using the eapol_test tool. Results AOK.

  That's good.

> But tests with the 450 Cambium equipment (20.1 firmware) fail at the ssl handshake with an error message in the log: “unsupported protocol”

  That's weird.  The NAS / AP usually doesn't do EAP.  It's the supplicant which does that.

> I was able to get it to work by forcing TLS 1.0 (setting min and max TLS to 1.0 and setting cipher_list to DEFAULT at SECLEVEL=0). Obviously not a good thing to do but it does suggest a TLS version issue.

  That really sounds like it's a very old supplicant.

> My question to the group is this simply a matter of what Cambium supports (TLS wise) or is it possible I have something wrong on the FreeRadius side?

  You don't have anything wrong on the FreeRADIUS side.  Nobody should be using TLS 1.0 any more  :(

  Alan DeKok.