Freeradius and unexpected TLS version ->Access-Reject

Alan DeKok aland at deployingradius.com
Fri Feb 21 14:29:21 CET 2020 


> On Feb 21, 2020, at 12:25 PM, iilinasi <Irina.Ilina-Sidorova at ulb.ac.be> wrote:
> I have a weird issue with freeradius 3.0.16.
> 
> I try to implement an auth exchange with the RADIUS, requesting EAP-TLS. At this moment I only need to get to the phase when server responds with Access-Challenge with server certificate (so, 2 packets from NAD and 2 from the server). To generate NAD-side packets I use python3 with scapy.
> 
> Freeradius was set up to use EAP-TLS for test user auth. First access-request from the NAD side is responded with Access-Challenge from the server. So far so good.
> 
> But when I send the second packet, I receive an Access-Reject. Suprisingly, the server reports I'm using unsupported TLS version ?0304?. Why "surprizingly"? Well, because I use earlier TLS version, and it is well visible even in server debugs (if you check "eap message" part, where is "0301").

  That's for TLS 1.3.  You cannot do TLS 1.3 with EAP-TLS.  The standard has not yetis been written.  It is not yet supported.

  wpa_supplicant has code which *should* work, if the proposed standards don't change.  We're waiting for the standards to be finalized before implementing anything.

> I also checked in Wireshark (captured both on the server machine and "NAD" machine) - the packet is correctly dissected by latest wireshark and has TLS1.1 inside.

  If it's complaining about "TLS version 0304", then it's likely using TLS 1.3.

  The other option is to upgrade to 3.0.20, which has been out for a while.  There isn't much reason to do a new install of 3.0.16 at this point.

> Caching is disabled.
> 
> OpenSSL is already at the newest version (1.1.1-1ubuntu2.1~18.04.5).
> 
> I tried to rebuild my VM from scratch (so again, installed Ubuntu 18, freeradius 3.0.16, etc) - but the issue persists.
> 
> Here is the debug:
> 
>    Ready to process requests
> 
>    (0) Received Access-Request Id 200 from 192.168.0.14:53256 to 192.168.0.59:1812 length 67 (0) Service-Type = Framed-User (0) User-Name = "test" (0) Framed-MTU = 1500 (0) EAP-Message = 0x020500090174657374 (0) Message-Authenticator = 0xefe697c97fd0118935d39e9a25d6baff (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0)

  Hmm... mangled and unreadable.

  Alan DeKok.

More information about the Freeradius-Users mailing list