[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: EAP TLS fatal protocol version
From: Alan DeKok <aland () deployingradius ! com>
Date: 2023-06-25 13:22:55
Message-ID: 038E4788-1BBE-48CC-9508-166A2AC2954E () deployingradius ! com
[Download RAW message or body]
On Jun 24, 2023, at 12:52 PM, Roudi via Freeradius-Users \
<freeradius-users@lists.freeradius.org> wrote:
> I recently got a VPS for my RADIUS server as I am having issues keeping my local \
> server online due to prolonged rolling blackouts.
> My new server is Ubuntu 22.04.2 and I have installed the latest FreeRADIUS v3.2.3 \
> and I am using MySQL. My FreeRADIUS server is working perfectly for PPPoE \
> authentication on Mikrotik. My problem comes in on my Ubiquiti Sectors where I have \
> WPA2-Enterprise Authentication on the WiFi devices. My old server is running Ubuntu \
> 18 with FreeRadius v3.0, and on that server my WPA2-Enterprise authentication is \
> working perfectly.
> The error I am getting on the new server looks like this in the log file:
>
> (6) eap: Calling submodule eap_peap to process data
> (6) eap_peap: (TLS) EAP Peer says that the final record size will be 62 bytes
> (6) eap_peap: (TLS) EAP Got all data (62 bytes)
> (6) eap_peap: (TLS) Handshake state - before SSL initialization
> (6) eap_peap: (TLS) Handshake state - Server before SSL initialization
> (6) eap_peap: (TLS) Handshake state - Server before SSL initialization
> (6) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello
> (6) eap_peap: (TLS) send TLS 1.0 Alert, fatal protocol_version
That's the critical message.
> The problem looks like the client is sending a TLS 1.3 Handshake, and FreeRADIUS is \
> replying with a TLS 1.0 reply.
Yes. But that's not happening. OpenSSL is lying to us.
What's really happening is that the supplicant is sending a TLS 1.0 handshake, and \
OpenSSL tells FreeRADIUS it's TLS 1.3. That information is only used for this \
message, and FreeRADIUS knows to ignore it. OpenSSL will later change its mind, and \
tell us the correct version of TLS.
Since the client is sending TLS 1.0, FreeRADIUS has to send back TLS 1.0 in any \
message back to the client. So that's what is really happening.
> I have also noticed that Ubuntu 22 is using OpenSSL 3.0.2 15 and Ubuntu 18 was \
> using OpenSSL 1.1.1. And this is where, I suspect, my problem is, but I am unsure \
> how to get around this.
Ubuntu 18 allows TLS 1.0. Ubuntu 22 doesn't.
You should really upgrade the supplicant to use TLS 1.2. TLS 1.0 has been out of \
date for a very long time. It's also been officially deprecated, which is why Ubuntu \
22 doesn't allow you to use it.
> What I have tried:
> * Setting TLS Max version to 1.3 in eap config
Se tls_min_version = 1.0
And then update the various other configuration options for TLS 1.0. See \
mods-available/eap, and look for "TLS 1.0".
> Is there anyone out there that got WPA2-Enterprise authentication working on \
> FreeRADIUS 3.0 or 3.2 on Ubuntu 22?
Yes:
* use TLS 1.2, and there will be nothing special required
* if the suppliants use TLS 1.0, then upgrade them.
* otherwise if you can't upgrade, then configure FreeRADIUS for TLS 1.0 as described \
above.
But using TLS 1.0 is a bad idea. Old / insecure protocols shouldn't be used.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic