EAP fails on TLS protocol version with Windows 7, works fine with Windows 10
Alan DeKok
aland at deployingradius.com
Fri Nov 20 16:44:18 CET 2020
> On Nov 20, 2020, at 10:33 AM, Jochem Sparla <J.Sparla at iolan.com> wrote:
>
> I have a setup with a Windows 7 and Windows 10 computer authenticating with FreeRADIUS 3.0.20 running on Ubuntu 20.04.
>
> The Windows 7 client fails due to a TLS protocol version error:
> (2) eap_peap: TLS_accept: before SSL initialization
> (2) eap_peap: <<< recv TLS 1.3 [length 0062]
Don't use TLS 1.3. There is no standard for it.
Windows 7 is sending different TLS negotiation than Windows 10. This means that FreeRADIUS can't send a "please use TLS 1.2" message.
> The Windows 10 client, with the same settings on both the client, switch and the same RADIUS server, works fine:
> (2) eap_peap: TLS_accept: before SSL initialization
> (2) eap_peap: <<< recv TLS 1.3 [length 0097]
> (2) eap_peap: TLS_accept: SSLv3/TLS read client hello
That is *requesting* TLS 1.3.
> (2) eap_peap: >>> send TLS 1.2 [length 003d]
> (2) eap_peap: TLS_accept: SSLv3/TLS write server hello
FreeRADIUS says "no, do TLS 1.2"
And then it works.
> TLS is configured in mods-enabled/eap:
> tls_max_version = "1.2"
> tls_min_version = "1.0"
So FreeRADIUS is configured correctly.
> I have been breaking my head and searching this for multiple days.
> The problem does not seem to be in the lack of TLS 1.3 support in FreeRADIUS/OpenSSL1.1.1f, because the Win10 client works fine. It starts by asking for TLS 1.3, but gets set to TLS 1.2 and works.
Yes. So it is *not* doing TLS 1.3. Because the client asks, and FreeRADIUS says "no".
> I seems my standard Windows 7 client (fully up to date) sends a bad TLS message, but I have no clue where to look for a solution.
Fix the Windows system so that it doesn't ask for TLS 1.3.
Alan DeKok.
More information about the Freeradius-Users
mailing list