On Sep 28, 2021, at 10:57 AM, Adrian Smith via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
More logs from v3.0.x build:
Seems like the failing client is not sending enough of something for "ClientKeyExchange" ? ... Tue Sep 28 15:27:32 2021 : Debug: (7) eap_ttls: (TLS) EAP Continuing ... Tue Sep 28 15:27:32 2021 : Debug: (7) eap_ttls: (TLS) EAP Peer sent flags --- Tue Sep 28 15:27:32 2021 : Debug: (7) eap_ttls: (TLS) EAP Verification says ok Tue Sep 28 15:27:32 2021 : Debug: (7) eap_ttls: (TLS) EAP Done initial handshake Tue Sep 28 15:27:32 2021 : Debug: (TLS) Received 2 bytes of TLS data Tue Sep 28 15:27:32 2021 : Debug: (TLS) 02 50 Tue Sep 28 15:27:32 2021 : Debug: (7) eap_ttls: (TLS) recv TLS 1.2 Alert, fatal internal_error Tue Sep 28 15:27:32 2021 : ERROR: (7) eap_ttls: (TLS) Alert read:fatal:internal error
The client is sending that alert to the server. So there's some internal error on the client. What is that error? Ask the client. :( FreeRADIUS can only report the error and drop the connection. You might try upgrading OpenSSL and/or checking the list of ciphers, digests, etc. If you're running OpenSSL from 2013, it will default to encryption methods which have likely been deprecated and/or forbidden in recent versions of Windows. Try using a new VM with a newer version of OpenSSL. If that works, then the failure is some magic with an 8 year-old version of OpenSSL. Alan DeKok.