[RADIATOR] Issues with EAP/PEAP authentication

Heikki Vatiainen hvn at open.com.au
Tue Mar 2 11:55:25 UTC 2021 

On 2.3.2021 1.16, Hirayama, Pat wrote:

> I did some testing with Trace 4 and I suspect that it is due to protocol differences between OpenSSL on CentOS 6 and Ubuntu 20 that Heikki and others pointed out when I posted last month when I was having issues with LDAP -- mostly because of the "unsupported protocol" that appears in the logfile -- and the fact that the same basic handler configuration works fine on the older OS/Radiator.  But it isn't clear to me what specific protocol is being used that is unsupported.

That would be TLS protocol. If you try adding 'TLSv1' to 
EAPTLS_Protocols, would that help?

For additional backwards compatibility, you can try setting SECLEVEL=0, 
but I'd first check if the clients simply require TLS 1.0. The web is 
(mostly) TLSv 1.2 and 1.3, but TLS based EAP methods may still require 
older TLS versions.

[inner Handler's AuthBy follows]

>                  EAPType MSCHAP-V2,PEAP,TTLS

I'd simply leave MSCHAP-V2 enabled and remove all EAPTLS_* settings from 
the inner handler's AuthBy.

[remove these]
>                  EAPTLS_PEAPVersion 0
>                  EAPTLS_CertificateType PEM
>                  EAPTLS_MaxFragmentSize 1024
>        EAPTLS_SecurityLevel 1
>        EAPTLS_Ciphers DEFAULT at SECLEVEL=1
>        EAPTLS_Protocols TLSv1.1, TLSv1.2
>                  EAPAnonymous %0
>                  SSLeayTrace 4

[all the way to here]

> #### Outer Handler #####
> # When clients check the 'Validate Server Certificate' (or equivalent), then this stanza plays a key role
> <Handler>

>          <AuthBy FILE>

>        EAPTLS_SecurityLevel 1
>        EAPTLS_Ciphers DEFAULT at SECLEVEL=1
>        EAPTLS_Protocols TLSv1.1, TLSv1.2

Try adding TLSv1 to the allowed protocols, as mentioned above.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.

More information about the radiator mailing list