Another TTLS EAP 450 question

Trying to get 450 to work with ttls eap and radius. Specifically freeradius 3.2.1 on debian 12.5

Following all the information online, I’ve setup radius including creating my own certificates and tested the setup using the eapol_test tool.

But tests with the 450 cambium equipment (at 20.1) fail at the ssl handshake with an error message in the freeradius log: “unsupported protocol”

I was able to get it to work by forcing tls 1.0 (setting min and max tls to 1.0 and setting cipher_list to DEFAULT@SECLEVEL=0). Obviously not a good thing to do but it does verify that the issue is something about support for tls > 1.0

Is this a known problem?

This thread might help (or not):

Thanks but it doesn’t have a solution.

So you discovered what I discovered is that the 450 (also applies I believe to ePMP) system does not support newer TLS. I believe you to be more savvy than myself with SSL. I was at the point where I was going to recompile OpenSSL for Centos/RHEL to allow weaker security. It is low priority, so I have not touched this for a year.

Cambium needs to compile their software to support newer security for authentication, but I do not think it is a priority to them. That or the developer responsible for that portion of their code has not been made aware or worse yet there is no one in the organization that is responsible.

I would suggest you submit it as a bug. The more of us that do, the more attention it will get.

Well, it is temping to blame Cambium, but TLS 1.0 use is a very well known security risk. Hard to believe Cambium could be so negligent for soo long.

Maybe I’m wrong, but my guess is that there is something about the hardware/firmware that’s busted in our particular cases. I think from 20.x TLS 1.2 is supported so it must be something subtle.

Cambium, are you listening?! How about some help?

@CambiumMatt Hoping Matt can shed some light on this - need to migrate our radius servers soon.

1 Like

We heard (via our client) from Cambium support. Their response was " Our Engineering and product management teams are aware of this limitation."

So Cambium documentation on this matter is wrong (they say they support TLS 1.2) and worse their software is at least (being generous) 3-5 years out of date (security wise).