For anyone having this problem ... upgrading to FreeRADIUS 3.0.17, and to openssl 1.0.2p appears to have solved the problem.
Moving to FR3 is long overdue. It will require some reconfigurations on my part, which will surely prompt more questions. Thanks for the advice so far.
Just a follow-up to my follow-up, purely for those that run into this issue in the future. The root cause was not FR version related. It appears that my client (Mac OS 10.13.6) terminates the TLS session when it realizes that it does not trust the server-side certificate. FreeRADIUS is barking about the closure of this TLS session. The same issue recurs under FreeRADIUS 3.0.17, albeit with a slightly different output. I finally rooted this out digging through client-side 802.1x logs and discovered a misconfiguration in our onboarding tool. Thanks Norman On Tue, Aug 14, 2018 at 4:10 PM Norman Elton <normelton@gmail.com> wrote:
To be fair, we have FreeRADIUS deployed on RHEL6, using the RedHat-supplied packages. So far, we've been happy with the stability this provides, but realize that FreeRADIUS 2.2.6 is way outdated.
Yup. You should upgrade to 2.2.10 at least. It also has fixes for TLS 1.2. :)
For anyone having this problem ... upgrading to FreeRADIUS 3.0.17, and to openssl 1.0.2p appears to have solved the problem.
Moving to FR3 is long overdue. It will require some reconfigurations on my part, which will surely prompt more questions. Thanks for the advice so far.
Norman On Tue, Aug 14, 2018 at 10:39 AM Alan DeKok <aland@deployingradius.com> wrote:
On Aug 14, 2018, at 10:34 AM, Norman Elton <normelton@gmail.com> wrote:
Deploying EAP-TLS, I've got the CA and certificate configured on the server, and the client-side certificate on the client. But I'm getting a "Unknown TLS version [length 0002]" message. Debug output below.
You're running v2. I would suggest upgrading.
Is the "[length 0002]" referring to only have two bytes to parse? Is some of the transaction getting lost someplace?
I'm not sure. It's a TLS issue.
To be fair, we have FreeRADIUS deployed on RHEL6, using the RedHat-supplied packages. So far, we've been happy with the stability this provides, but realize that FreeRADIUS 2.2.6 is way outdated.
Yup. You should upgrade to 2.2.10 at least. It also has fixes for TLS 1.2. :)
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html