EAP TTLS woes
Alan DeKok
aland at deployingradius.com
Tue Sep 28 17:46:46 CEST 2021
On Sep 28, 2021, at 10:57 AM, Adrian Smith via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> More logs from v3.0.x build:
>
> Seems like the failing client is not sending enough of something for "ClientKeyExchange" ?
> ...
> Tue Sep 28 15:27:32 2021 : Debug: (7) eap_ttls: (TLS) EAP Continuing ...
> Tue Sep 28 15:27:32 2021 : Debug: (7) eap_ttls: (TLS) EAP Peer sent flags ---
> Tue Sep 28 15:27:32 2021 : Debug: (7) eap_ttls: (TLS) EAP Verification says ok
> Tue Sep 28 15:27:32 2021 : Debug: (7) eap_ttls: (TLS) EAP Done initial handshake
> Tue Sep 28 15:27:32 2021 : Debug: (TLS) Received 2 bytes of TLS data
> Tue Sep 28 15:27:32 2021 : Debug: (TLS) 02 50
> Tue Sep 28 15:27:32 2021 : Debug: (7) eap_ttls: (TLS) recv TLS 1.2 Alert, fatal internal_error
> Tue Sep 28 15:27:32 2021 : ERROR: (7) eap_ttls: (TLS) Alert read:fatal:internal error
The client is sending that alert to the server. So there's some internal error on the client.
What is that error? Ask the client. :(
FreeRADIUS can only report the error and drop the connection.
You might try upgrading OpenSSL and/or checking the list of ciphers, digests, etc. If you're running OpenSSL from 2013, it will default to encryption methods which have likely been deprecated and/or forbidden in recent versions of Windows.
Try using a new VM with a newer version of OpenSSL. If that works, then the failure is some magic with an 8 year-old version of OpenSSL.
Alan DeKok.
More information about the Freeradius-Users
mailing list