Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    EAP TLS 1.3 Wifi authentication

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    13 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      niryaron678
      last edited by

      Hey, I have a free radius server that support eap tls 1.3. I send an eap tls authentication using Windows 11 and see by wireshark that packet are really eap tls 1.3. but then when i do it using MacOS / iphone / Android that support eap tls 1.3 by default (as wrote in forums - macOS 14.2.1 and IOS 17.2.1) i see an Client hello of 1.2 without the extension of support version and the authentication is by eap tls 1.2. Anyone saw this issue/ know if they are really support authentication of eap tls 1.3 ? I use same certificates for all of the clients and install them. Thanks, Nir.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        What are you using for Access Point(s)? Are you using Freeradius in pfSense?

        Is TLS 1.2 explicitly disallowed anywhere?

        Steve

        N 2 Replies Last reply Reply Quote 0
        • N
          niryaron678 @stephenw10
          last edited by

          @stephenw10

          Hey, I configured in my switch to pass the traffic to a Linux machine. In the Linux machine I run a docker container of free radius that support eap tls 1.2 and 1.3.
          When I ran authentication from windows to the server, and it work well.
          But for macOs iPhone and android it ran eap tls 1.2 and work well for 1.2.

          1 Reply Last reply Reply Quote 0
          • N
            niryaron678 @stephenw10
            last edited by

            This post is deleted!
            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Ah, so the client here is the switch not an AP?

              N 1 Reply Last reply Reply Quote 0
              • N
                niryaron678 @stephenw10
                last edited by

                @stephenw10
                Don’t sure I got you but i connect to wifi with my iPhone e.g after install certificates in iPhone and choose EAP TLS via phone settings.

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  Where is the radius client though? On the AP? WPA ent auth? Or on a switch?

                  It probably doesn't matter much though. If you don't want TLS 1.2 you need to disable it I would expect.

                  N 1 Reply Last reply Reply Quote 0
                  • N
                    niryaron678 @stephenw10
                    last edited by

                    @stephenw10 The radius client is the iphone device ( he send TLS message and the switch wrap them as radius packets), The security of the connection is WPA 2 Enterprise.
                    Althought, by the RFC clients that support EAP TLS 1.3 must negotiate the server about the version. they must send all there supported version and server will try to take the most security one ( EAP TLS 1.3) and as I saw in the packets client does not send EAP TLS supported versions. Also, i dont sure that we can disable eap tls 1.2.

                    stephenw10S 1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator @niryaron678
                      last edited by

                      @niryaron678 said in EAP TLS 1.3 Wifi authentication:

                      the switch wrap them as radius packets

                      That implies the switch is the radius client here. As defined in the freeradius server as a NAS/Client.

                      However for WPA Ent I expect the AP to be the client?

                      N 1 Reply Last reply Reply Quote 0
                      • N
                        niryaron678 @stephenw10
                        last edited by

                        @stephenw10 said in EAP TLS 1.3 Wifi authentication:

                        client

                        Dont sure about what i told , but if the switch is the real client here how Windows work well and MAC and iOS no ?

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          Like I say it shouldn't make any difference where the radius client is other than that's where I'd look for any settings that might determine allow TLS types.

                          N 1 Reply Last reply Reply Quote 0
                          • N
                            niryaron678 @stephenw10
                            last edited by

                            @stephenw10 the server is support eap tls 1.2 and 1.3 and for those versions apple iphone support eap tls 1.3 by default.
                            how i can investigate this issue ?

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S stephenw10 moved this topic from Wireless on
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              Moved this to off-topic as it's not a pfSense related issue.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.