[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: EAP TLS fatal protocol version
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2023-06-25 13:22:55
Message-ID: 038E4788-1BBE-48CC-9508-166A2AC2954E () deployingradius ! com
[Download RAW message or body]

On Jun 24, 2023, at 12:52 PM, Roudi via Freeradius-Users \
<freeradius-users@lists.freeradius.org> wrote:
> I recently got a VPS for my RADIUS server as I am having issues keeping my local \
> server online due to prolonged rolling blackouts. 
> My new server is Ubuntu 22.04.2 and I have installed the latest FreeRADIUS v3.2.3 \
> and I am using MySQL. My FreeRADIUS server is working perfectly for PPPoE \
> authentication on Mikrotik. My problem comes in on my Ubiquiti Sectors where I have \
> WPA2-Enterprise Authentication on the WiFi devices. My old server is running Ubuntu \
> 18 with FreeRadius v3.0, and on that server my WPA2-Enterprise authentication is \
> working perfectly. 
> The error I am getting on the new server looks like this in the log file:
> 
> (6) eap: Calling submodule eap_peap to process data
> (6) eap_peap: (TLS) EAP Peer says that the final record size will be 62 bytes
> (6) eap_peap: (TLS) EAP Got all data (62 bytes)
> (6) eap_peap: (TLS) Handshake state - before SSL initialization
> (6) eap_peap: (TLS) Handshake state - Server before SSL initialization
> (6) eap_peap: (TLS) Handshake state - Server before SSL initialization
> (6) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello
> (6) eap_peap: (TLS) send TLS 1.0 Alert, fatal protocol_version

  That's the critical message.

> The problem looks like the client is sending a TLS 1.3 Handshake, and FreeRADIUS is \
> replying with a TLS 1.0 reply.

  Yes.  But that's not happening.  OpenSSL is lying to us.

  What's really happening is that the supplicant is sending a TLS 1.0 handshake, and \
OpenSSL tells FreeRADIUS it's TLS 1.3.  That information is only used for this \
message, and FreeRADIUS knows to ignore it.  OpenSSL will later change its mind, and \
tell us the correct version of TLS.

  Since the client is sending TLS 1.0, FreeRADIUS has to send back TLS 1.0 in any \
message back to the client.  So that's what is really happening.

> I have also noticed that Ubuntu 22 is using OpenSSL 3.0.2 15 and Ubuntu 18 was \
> using OpenSSL 1.1.1. And this is where, I suspect, my problem is, but I am unsure \
> how to get around this.

  Ubuntu 18 allows TLS 1.0.  Ubuntu 22 doesn't.

  You should really upgrade the supplicant to use TLS 1.2.  TLS 1.0 has been out of \
date for a very long time.  It's also been officially deprecated, which is why Ubuntu \
22 doesn't allow you to use it.

> What I have tried:
> * Setting TLS Max version to 1.3 in eap config

  Se tls_min_version = 1.0

  And then update the various other configuration options for TLS 1.0.  See \
mods-available/eap, and look for "TLS 1.0".

> Is there anyone out there that got WPA2-Enterprise authentication working on \
> FreeRADIUS 3.0 or 3.2 on Ubuntu 22?

  Yes:

* use TLS 1.2, and there will be nothing special required

* if the suppliants use TLS 1.0, then upgrade them.

* otherwise if you can't upgrade, then configure FreeRADIUS for TLS 1.0 as described \
above.

  But using TLS 1.0 is a bad idea.  Old / insecure protocols shouldn't be used.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]