Raspbian WiFi with RADIUS and TLS 1.2

After our recent enforcement of TLS 1.2 for our WiFi setup our Raspberry Pi3 dropped off the network. I spent a fair amount of time running wpa_supplicant in debug mode along with Wireshark on the RADIUS server and it was clear that the Pi was insisting on using TLS 1.0, which was the cause of the failure.

Once you get into the wonderful world of wpa_supplicant.conf variables and examples, you’ll find there are a number of ways to do things and everyone’s mileage seems to vary. In my case I knew what I wanted: The Pi need to be told to use TLS 1.2. I discovered some settings for phase2 that allow you to disable the various TLS versions. So my thinking was to just disable 1.0 and 1.1 so I ended up with the following additional line in wpa_supplicant.conf

phase2=”auth=MSCHAPV2 tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1″

This unfortunately did not solve my problem. Even though I could see from the debug output the flags were being set, the Pi still negotiated for TLS 1.0.

Some more digging around on google suggested that TLS 1.2 was set as default in wpa_supplicant 2.4. As I was still running Wheezy, my version was 2.3. So after an upgrade to Stretch I was able to install wpa_supplicant 2.4 and the Pi could once again connect to WiFi. It also turns out you don’t really need all the phase1 and phase2 settings (with Windows RADIUS at least). So for reference my working wpa_supplicant.conf looks as follows:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
ssid=”MyAccessPointName”
proto=RSN
key_mgmt=WPA-EAP
pairwise=CCMP
auth_alg=OPEN
eap=PEAP
identity=”domain\username”
password=”yoursupersecurepassword”
}