I'm using freeradius v.3.0.26 and have configured the eap module, for eap-tls authentication.
I installed the package eapol_test to check if everthing works.
Everthing looks okay, but if i use tls1.3 in my eap configuration file (mods-enabled/eap):
tls_min_version = "1.3"
tls_max_version = "1.3"
the server returns an error message...
The client tries to connect via tls 1.3 but the server send back "TLS 1.2 Alert, fatal protocol_version":
Sun Dec 11 15:23:20 2022 : Debug: (1) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello
Sun Dec 11 15:23:20 2022 : Debug: (1) eap_tls: (TLS) send TLS 1.2 Alert, fatal protocol_version
Sun Dec 11 15:23:20 2022 : ERROR: (1) eap_tls: (TLS) Alert write:fatal:protocol version
Sun Dec 11 15:23:20 2022 : ERROR: (1) eap_tls: (TLS) Server : Error in error
Sun Dec 11 15:23:20 2022 : ERROR: (1) eap_tls: (TLS) Failed reading from OpenSSL: ../ssl/statem/statem_srvr.c[1657]:error:0A000102:SSL routines::unsupported protocol
Sun Dec 11 15:23:20 2022 : ERROR: (1) eap_tls: (TLS) System call (I/O) error (-1)
Sun Dec 11 15:23:20 2022 : ERROR: (1) eap_tls: (TLS) EAP Receive handshake failed during operation
Sun Dec 11 15:23:20 2022 : ERROR: (1) eap_tls: [eaptls process] = fail
Sun Dec 11 15:23:20 2022 : ERROR: (1) eap: Failed continuing EAP TLS (13) session. EAP sub-module failed
The same happens when i try to connect by an real wireless client, so there's nothing wrong with eapol_test...
As soon es i set the following option:
tls_min_version = "1.2"
tls_max_version = "1.3"
Authentication works but then tls 1.2 is used.
Is it possible to use freeradius with eap tls 1.3?
The next thing what i don't understand are some warning messages when connecting:
Sun Dec 11 15:02:50 2022 : Warning: Certificate chain - 2 cert(s) untrusted
Sun Dec 11 15:02:50 2022 : Warning: (TLS) untrusted certificate with depth [2] subject name ....CN=ROOT CA.......
Sun Dec 11 15:02:50 2022 : Warning: (TLS) untrusted certificate with depth [1] subject name ....CN=Intermediate CA.......
Sun Dec 11 15:02:50 2022 : Warning: (TLS) untrusted certificate with depth [0] subject name ....CN=Client Cert.......
I've read the hints in the eap config and configured it:
private_key_password = XXXXXX
private_key_file = /etc/freeradius/3.0/certs/radius-server.key
certificate_file = /etc/freeradius/3.0/certs/radius-server.pem
ca_file = /etc/freeradius/3.0/certs/ca.cert.crt
auto_chain = yes
ca_path = ${cadir}
radius-server.pem = includes only the server cert
ca.cert.crt includes only the root ca
Connection and authentication works but i don't understand the warning messages, because also the client sends the full chain
TLS 1.3 for EAP is very new - it has only been standardised in the last few months. You need the latest FreeRADIUS release and the latest wpa_supplicant (or maybe even the unreleased development version) for it to work.
There is little chance it will work with any devices yet as they will likely not be running a recent enough wpa_supplicant version.
It does work with FreeRADIUS and wpa_supplicant, if configured correctly. The defaults will still be for 1.2 as that is the most compatible. You need to set tls_max_version = "1.3" in FreeRADIUS, and also phase1="tls_disable_tlsv1_3=0" in the wpa_supplicant configuration. There may be other options needed to force it to work.
Note that the FreeRADIUS debug output will sometimes still report TLS 1.2 in a few debug messages; this is a side effect of the way TLS works, and is unavoidable.
Summary - stick with TLS 1.2 for EAP for another year or so until newer software has been released, unless you want pain.