Authentication problems with some devices: TLS version too low

[Alan DeKok]

On Sep 1, 2017, at 1:16 PM, Lars Veldscholte <lars at tuxplace.nl> wrote:
> I have problems with authenticating some clients using PEAP-MSCHAP. I've seen two (unrelated) devices having this issue so far: an Android phone and a Windows 7 PC. Other clients do not have this problem.

  Vendors are starting to move to TLS 1.2 everywhere.

...
> (2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417D18C:SSL routines:tls_process_client_hello:version too low
> (2) eap_peap: ERROR: System call (I/O) error (-1)
> (2) eap_peap: ERROR: TLS receive handshake failed during operation
> (2) eap_peap: ERROR: [eaptls process] = fail
> (2) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
> (2) eap: Sending EAP Failure (code 4) ID 230 length 4
> (2) eap: Failed in EAP select
> (2)     [eap] = invalid
> (2)   } # authenticate = invalid
> (2) Failed to authenticate the user
> 
> I'm not sure if I'm interpreting this correctly, but it seems that the client is trying to talk in TLSv1.2 while FreeRADIUS doesn't support that?

  Pretty much.  They *should* be able to negotiate a compatible TLS version, if your local version of OpenSSL supports TLS 1.2

> I don't know what started this problem. PEAP always worked in the past, until now.

  The clients upgraded, and now only allow TLS 1.2.

> The only thing I can think of is that I've recently generated new certificates (old ones were expired). There has also been a FreeRADIUS update (just regular Debian updates, I'm on 3.0.15 now). Could that be related?

  No.

  You will need to update OpenSSL to a version which supports TLS 1.2.  And then re-build and re-install FreeRADIUS.

  Given that *everything* depends on OpenSSL, you're probably better off just installing a new VM with a recent version of Debian.  Then, copy your current configuration over to the new machine.

  Alan DeKok.