@JonathanLee tls 1.3 has been used for quite some time.. Any time I bother to look at the connection to pretty much anything its tls 1.3.. This connection to the forums is using tls 1.3

ensi is dead but long live ech, that could be problematic I would bet..

But again I don't do any sort of mitm, its not good practice - I want my ssl/tls to be end to end.. As the internet gods intended it to be ;)

I have no need or desire to run a proxy.. If I want to block someting I would filter on IP or DNS.. Yes I block the bane of filtering doh and dot.

I run a reverse proxy, but not as a filtering method or as a way to do mitm.. But as a way to offload the ssl connection because the actual services have no ssl support at all, or are a pain to setup. These connections are tls 1.3.. And I don't even allow 1.2, if your not using 1.3 then your not accessing it. And use strict sni - so if you don't send the valid sni your not being proxied in either. This keeps rando port scanners from being able to actually get to the sites interface.

And I block most of the known scanners from talking to any of my forwards anyway, and only allow access into my forwards if your coming from US IP, etc.

@wickeren said in Freeradius with LDAP backend and 802.1x:

Have set Active Directory Compatibility in the Freeradius LDAP settings and played around with the EAP settings. For now the default is PEAP, in the EAP-PEAP section the default is MSCHAPv2 and Copy Request to Tunnel is set to Yes. According to some info I have found this should be OK, but in my case it isn’t however. Still think it must be something there, but can’t figure it out yet.

Hi , I tried to configure free-radius on Pfsense (authentication via ldap or Kerberos) , i have AD 2008 .
can you share your configuration please