If you’re one of the guys who are running freeradius based EAP authenticated wireless access point network, you might have noticed that the latest operating systems won’t authenticate against your existing deployment.
The cause of this is really simple. Both the ciphers and key length requirements are changed in these new operating systems. This is of course natural in the light of the evolution in the security area, however can be really frustrating to resolve.
Similarly we have had a freeradius EAP deployment and needed update to work with Windows 10 in particular. Windows 10 requires Diffie-Hellman parameters at least 1024 bit length. If you have your deployment in place for a long time like we had, it’s likely that you only have 768bit DH parameters in place.
To resolve the issue, just generate new DH parameters (you don’t need to touch your certs) with
openssl gendh -out dh.pem 2048
and point you freeradius EAP module to it. You can just simply replace your previous DH parameters with this.
Also worth mentioning that although I have said that your certs don’t need updating, you need to ensure that the key length is >1024 bit in your certs and the hash algorithm is not MD5 which is similarly no longer supported by recent operating systems. When I say not supported, I mean deprecated.
I hope I helped.