Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    EAP TLS 1.3 Wifi authentication

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    13 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      What are you using for Access Point(s)? Are you using Freeradius in pfSense?

      Is TLS 1.2 explicitly disallowed anywhere?

      Steve

      N 2 Replies Last reply Reply Quote 0
      • N
        niryaron678 @stephenw10
        last edited by

        @stephenw10

        Hey, I configured in my switch to pass the traffic to a Linux machine. In the Linux machine I run a docker container of free radius that support eap tls 1.2 and 1.3.
        When I ran authentication from windows to the server, and it work well.
        But for macOs iPhone and android it ran eap tls 1.2 and work well for 1.2.

        1 Reply Last reply Reply Quote 0
        • N
          niryaron678 @stephenw10
          last edited by

          This post is deleted!
          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Ah, so the client here is the switch not an AP?

            N 1 Reply Last reply Reply Quote 0
            • N
              niryaron678 @stephenw10
              last edited by

              @stephenw10
              Don’t sure I got you but i connect to wifi with my iPhone e.g after install certificates in iPhone and choose EAP TLS via phone settings.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Where is the radius client though? On the AP? WPA ent auth? Or on a switch?

                It probably doesn't matter much though. If you don't want TLS 1.2 you need to disable it I would expect.

                N 1 Reply Last reply Reply Quote 0
                • N
                  niryaron678 @stephenw10
                  last edited by

                  @stephenw10 The radius client is the iphone device ( he send TLS message and the switch wrap them as radius packets), The security of the connection is WPA 2 Enterprise.
                  Althought, by the RFC clients that support EAP TLS 1.3 must negotiate the server about the version. they must send all there supported version and server will try to take the most security one ( EAP TLS 1.3) and as I saw in the packets client does not send EAP TLS supported versions. Also, i dont sure that we can disable eap tls 1.2.

                  stephenw10S 1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator @niryaron678
                    last edited by

                    @niryaron678 said in EAP TLS 1.3 Wifi authentication:

                    the switch wrap them as radius packets

                    That implies the switch is the radius client here. As defined in the freeradius server as a NAS/Client.

                    However for WPA Ent I expect the AP to be the client?

                    N 1 Reply Last reply Reply Quote 0
                    • N
                      niryaron678 @stephenw10
                      last edited by

                      @stephenw10 said in EAP TLS 1.3 Wifi authentication:

                      client

                      Dont sure about what i told , but if the switch is the real client here how Windows work well and MAC and iOS no ?

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Like I say it shouldn't make any difference where the radius client is other than that's where I'd look for any settings that might determine allow TLS types.

                        N 1 Reply Last reply Reply Quote 0
                        • N
                          niryaron678 @stephenw10
                          last edited by

                          @stephenw10 the server is support eap tls 1.2 and 1.3 and for those versions apple iphone support eap tls 1.3 by default.
                          how i can investigate this issue ?

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S stephenw10 moved this topic from Wireless on
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            Moved this to off-topic as it's not a pfSense related issue.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.