EAP-TLS 1.3 support (RFC 9190)
Alan DeKok
aland at deployingradius.com
Fri Nov 8 06:57:23 UTC 2024
On Nov 8, 2024, at 3:52 AM, Stephan P. <ShoootLight at outlook.de> wrote:
> Does FreeRADIUS server support EAP-TLS 1.3 (as described in RFC9190)?
Yes.
> And if yes, beginning with which version of FreeRADIUS?
The ChangeLog for 3.0 shows that it was 3.0.23. But there are caveats, as the standard wasn't done.
> I looked in the changelogs, TLS 1.3 support is mentioned for EAP-TTLS and EAP-PEAP (but not for EAP-TLS) (-> version 3.0.26 (2022.09.20) and version 3.2.2 (2023.02.16)). I haven't found anything explicit about it in the documents, only the "TLS 1.3 Configuration" mailing list thread from Boby Tharappel implicating feature support.
TTLS and PEAP are really "EAP-TLS with more data in the inner TLS tunnel". So they only support TLS 1.3 because the base EAP-TLS code supports TLS 1.3.
To put it another way, EAP-TLS, TTLS, and PEAP all share a common "tls { ... }" configuration. So they all support the same TLS versions, the same TLS functionality, etc.
Alan DeKok.
More information about the Freeradius-Users
mailing list