FreeRadius 3.0.17 - TLS issue

Thorsten Fritsch thorsten.fritsch at
Thu Nov 29 15:19:20 CET 2018


we're running on Ubuntu 16.04.5 LTS. Sorry about the very verbose debug output. I took it with raddebug and
didn't know that's very verbose by default. Will take it to heart next time...

Unfortunately freeradius -Xv doesn't show the linked OpenSSL server on our system:

root at its-edurad-qm:~# freeradius -Xv
radiusd: FreeRADIUS Version 3.0.17, for host x86_64-pc-linux-gnu
FreeRADIUS Version 3.0.17
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT

It really seems to go into that direction - I found the following article:


From: arr2036 [via FreeRADIUS] <ml+s1045715n5752781h6 at>
Sent: Thursday, 29 November 2018 02:27
To: Thorsten Fritsch <thorsten.fritsch at>
Subject: Re: FreeRadius 3.0.17 - TLS issue

> On Nov 28, 2018, at 6:48 AM, Alan DeKok <[hidden email]</user/SendEmail.jtp?type=node&node=5752781&i=0>> wrote:
> On Nov 27, 2018, at 12:37 PM, Thorsten Fritsch <[hidden email]</user/SendEmail.jtp?type=node&node=5752781&i=1>> wrote:
>> we're running FR 3.0.17 and currently have some trouble with Windows 10 Clients which since just recently no longer can
>> connect to the PEAP/MS-CHAPv2-based eduroam network.
>> According to the radius debug log the FR server sends an Access Accept to the NAS (Cisco WLC) but it then terminates
>> with the information: ERROR: eap_peap: TLS Alert write:fatal:protocol version
>  Likely due to TLS 1.2.
>> 53282519) Tue Nov 27 16:07:35 2018: Debug: Sent Access-Accept Id 251 from to length 0
>> (53282519) Tue Nov 27 16:07:35 2018: Debug:   Tunnel-Type = VLAN
>  Don't sent "radiusd -Xx" please... all of the documentation says to just use "radiusd -X".
>> It looks like a TLS mismtach but not sure. Any experiences with this ? Which TLS versions are supported by FR 3.0.17 ?
>  FreeRADIUS uses OpenSSL for TLS.  So check your OpenSSL library.
>  Odds are that you're running a version / OS which is a few years old, and doesn't support TLS 1.2.  You'll have to upgrade to a recent release of OpenSSL in order to fix that.

radiusd -Xv should show you the version of OpenSSL the server is linked against.

List info/subscribe/unsubscribe? See
If you reply to this email, your message will be added to the discussion below:
To unsubscribe from Users, click here<>.

More information about the Freeradius-Users mailing list