EAP TLS 1.3 Wifi authentication
-
Hey, I have a free radius server that support eap tls 1.3. I send an eap tls authentication using Windows 11 and see by wireshark that packet are really eap tls 1.3. but then when i do it using MacOS / iphone / Android that support eap tls 1.3 by default (as wrote in forums - macOS 14.2.1 and IOS 17.2.1) i see an Client hello of 1.2 without the extension of support version and the authentication is by eap tls 1.2. Anyone saw this issue/ know if they are really support authentication of eap tls 1.3 ? I use same certificates for all of the clients and install them. Thanks, Nir.
-
What are you using for Access Point(s)? Are you using Freeradius in pfSense?
Is TLS 1.2 explicitly disallowed anywhere?
Steve
-
Hey, I configured in my switch to pass the traffic to a Linux machine. In the Linux machine I run a docker container of free radius that support eap tls 1.2 and 1.3.
When I ran authentication from windows to the server, and it work well.
But for macOs iPhone and android it ran eap tls 1.2 and work well for 1.2. -
This post is deleted! -
Ah, so the client here is the switch not an AP?
-
@stephenw10
Don’t sure I got you but i connect to wifi with my iPhone e.g after install certificates in iPhone and choose EAP TLS via phone settings. -
Where is the radius client though? On the AP? WPA ent auth? Or on a switch?
It probably doesn't matter much though. If you don't want TLS 1.2 you need to disable it I would expect.
-
@stephenw10 The radius client is the iphone device ( he send TLS message and the switch wrap them as radius packets), The security of the connection is WPA 2 Enterprise.
Althought, by the RFC clients that support EAP TLS 1.3 must negotiate the server about the version. they must send all there supported version and server will try to take the most security one ( EAP TLS 1.3) and as I saw in the packets client does not send EAP TLS supported versions. Also, i dont sure that we can disable eap tls 1.2. -
@niryaron678 said in EAP TLS 1.3 Wifi authentication:
the switch wrap them as radius packets
That implies the switch is the radius client here. As defined in the freeradius server as a NAS/Client.
However for WPA Ent I expect the AP to be the client?
-
@stephenw10 said in EAP TLS 1.3 Wifi authentication:
client
Dont sure about what i told , but if the switch is the real client here how Windows work well and MAC and iOS no ?
-
Like I say it shouldn't make any difference where the radius client is other than that's where I'd look for any settings that might determine allow TLS types.
-
@stephenw10 the server is support eap tls 1.2 and 1.3 and for those versions apple iphone support eap tls 1.3 by default.
how i can investigate this issue ? -
-
Moved this to off-topic as it's not a pfSense related issue.