Problem with 802.1X and EAP-PEAP configuration
Alan DeKok
aland at deployingradius.com
Fri Jun 27 12:19:59 UTC 2025
On Jun 27, 2025, at 8:06 AM, Peter Sprenger <sprenger at moving-bytes.de> wrote:
> I have problem with 802.1X and after some time I am really desperated:
>
> - I am writing an Embedded Ansi C client that already supports EAP-TLS, EAP-TTLS PAP and EAP-TTLS CHAP. Now I thought EAP-PEAP would not be so hard. But with the FreeRadius config I cannot get the outer TLS-tunnel running. The TLS 1.2 connection gets rejected from my SSL library "ASN parsing error, invalid input". For EAP-TLS and EAP-TTLS I have no problem with TLS 1.2 and TLS 1.3 connections.
If only there was some kind of debug output from FreeRADIUS.
> - I tried to work with eapol_test and there is the same picture: EAP-TLS, EAP-TTLS PAP and EAP-TTLS CHAP are working, but for EAP-PEAP the outer TLS connection gets refused.
Then you've configured it incorrectly. PEAP works. It's fine. Tens of millions of people use it every day with FreeRADIUS.
There are even tests for PEAP with eapol_test. See the FreeRADIUS source: src/tests/peap*.conf
> - From ChatGPT I got the info, that TLS 1.3 may cause problems to EAP-PEAP. So I have restricted the client and the FreeRadius server to TLS 1.2. No success.
Don't use ChatGPT or any AI systems for debugging RADIUS. It's useless and wrong.
> Any help or idea what be very appreciated!
There is substantial documentation for what you're trying to do. Most notably:
http://wiki.freeradius.org/list-help
This is the link you get when you join the mailing list, along with BIG WARNINGS to read the link and follow the instructions before posting to the list.
If you're going to ignore all available documentation, then it's no surprise that the server seems hard to configure. Following the documentation is substantially more productive than asking an AI system for help.
Alan DeKok.
More information about the Freeradius-Users
mailing list