EAP fails on TLS protocol version with Windows 7, works fine with Windows 10

L.P.H. van Belle belle at bazuin.nl
Fri Nov 20 16:36:56 CET 2020 

Google KB3140245 

and/or 
https://manage.accuwebhosting.com/knowledgebase/3008/How-do-I-enable-TLS-1-2-on-Windows-7.html 

might help you.

Greetz, 

Louis
 

> -----Oorspronkelijk bericht-----
> Van: Freeradius-Users 
> [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
> ius.org] Namens Jochem Sparla
> Verzonden: vrijdag 20 november 2020 16:33
> Aan: freeradius-users at lists.freeradius.org
> Onderwerp: EAP fails on TLS protocol version with Windows 7, 
> works fine with Windows 10
> 
> I have a setup with a Windows 7 and Windows 10 computer 
> authenticating with FreeRADIUS 3.0.20 running on Ubuntu 20.04.
> 
> The Windows 7 client fails due to a TLS protocol version error:
> (2) eap_peap: TLS_accept: before SSL initialization
> (2) eap_peap: <<< recv TLS 1.3  [length 0062]
> (2) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal 
> protocol_version
> (2) eap_peap: ERROR: TLS Alert write:fatal:protocol version
> tls: TLS_accept: Error in error
> (2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): 
> error:14209102:SSL 
> routines:tls_early_post_process_client_hello:unsupported protocol
> (2) eap_peap: ERROR: System call (I/O) error (-1)
> (2) eap_peap: ERROR: TLS receive handshake failed during operation
> (2) eap_peap: ERROR: [eaptls process] = fail
> (2) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP 
> sub-module failed
> (2) eap: Sending EAP Failure (code 4) ID 3 length 4
> (2) eap: Failed in EAP select
> (2)     [eap] = invalid
> (2)   } # authenticate = invalid
> (2) Failed to authenticate the user
> (2) Using Post-Auth-Type Reject
> 
> 
> The Windows 10 client, with the same settings on both the 
> client, switch and the same RADIUS server, works fine:
> (2) eap_peap: TLS_accept: before SSL initialization
> (2) eap_peap: <<< recv TLS 1.3  [length 0097]
> (2) eap_peap: TLS_accept: SSLv3/TLS read client hello
> (2) eap_peap: >>> send TLS 1.2  [length 003d]
> (2) eap_peap: TLS_accept: SSLv3/TLS write server hello
> (2) eap_peap: >>> send TLS 1.2  [length 0308]
> (2) eap_peap: TLS_accept: SSLv3/TLS write certificate
> (2) eap_peap: >>> send TLS 1.2  [length 014d]
> (2) eap_peap: TLS_accept: SSLv3/TLS write key exchange
> (2) eap_peap: >>> send TLS 1.2  [length 0004]
> (2) eap_peap: TLS_accept: SSLv3/TLS write server done
> (2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS 
> write server done
> (2) eap_peap: TLS - In Handshake Phase
> (2) eap_peap: TLS - got 1194 bytes of data
> (2) eap_peap: [eaptls process] = handled
> (2) eap: Sending EAP Request (code 1) ID 4 length 1004
> (2) eap: EAP session adding &reply:State = 0x30a058ae32a441c4
> (2)     [eap] = handled
> (2)   } # authenticate = handled
> (2) Using Post-Auth-Type Challenge
> 
> 
> TLS is configured in mods-enabled/eap:
> tls_max_version = "1.2"
> tls_min_version = "1.0"
> 
> 
> I have been breaking my head and searching this for multiple days.
> The problem does not seem to be in the lack of TLS 1.3 
> support in FreeRADIUS/OpenSSL1.1.1f, because the Win10 client 
> works fine. It starts by asking for TLS 1.3, but gets set to 
> TLS 1.2 and works.
> I seems my standard Windows 7 client (fully up to date) sends 
> a bad TLS message, but I have no clue where to look for a solution.
> 
> 
> Thanks in advance,  Jochem
> 
> 
> IOLAN B.V. • Mon Plaisir 26 • 4879 AN Etten-Leur • The Netherlands
> T +31 (0)76 50 26 100 • F +31 (0)76 50 26 199
> E iolan at iolan.com • I http://www.iolan.com/
> 
> De informatie opgenomen in dit bericht kan vertrouwelijk zijn 
> en is uitsluitend
> bestemd voor de geadresseerde. Indien u dit bericht onterecht 
> ontvangt, wordt u
> verzocht de inhoud niet te gebruiken en de afzender direct te 
> informeren door
> het bericht te retourneren.
> The information contained in this message may be confidential and is
> intended to be exclusively for the addressee. Should you 
> receive this message
> unintentionally, please do not use the contents here in and 
> notify the sender
> immediately by return e-mail.
> 
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list