Problem with TTLS setup. EAP clients negotiate TLSv1.2 but FR reports "Unknown TLS version". Any idea? ######################## freeradius: FreeRADIUS Version 2.2.7, for host x86_64-pc-linux-gnu, built on May 20 2015 at 15:09:29 Copyright (C) 1999-2015 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. ######################## OpenSSL 1.0.1f 6 Jan 2014 ######################## rad_recv: Access-Request packet from host 127.0.0.1 port 41457, id=246, length=163 User-Name = "xxx" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 11 NAS-Port-Id = "ikev1_iPhone" NAS-IP-Address = 55.55.55.55 Called-Station-Id = "55.55.55.55[500]" Calling-Station-Id = "10.8.0.41[500]" EAP-Message = 0x02000014016761627269656c2e736b757069656e NAS-Identifier = "xxx" Message-Authenticator = 0x3081d2a8deb390730c6a4549a473d550 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "xxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 0 length 20 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 246 to 127.0.0.1 port 41457 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xabbe8980abbf9c62469ee671636876ab Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 41457, id=247, length=366 User-Name = "xxx" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 11 NAS-Port-Id = "ikev1_iPhone" NAS-IP-Address = 55.55.55.55 Called-Station-Id = "55.55.55.55[500]" Calling-Station-Id = "10.8.0.41[500]" EAP-Message = 0x020100cd1580000000c316030300be010000ba0303555c8c48a01b005b0cd652b9a53aa87fbbaa396563f547fd22c3c9c2484d36a4000048c009c023c00ac024c02bc02cc013c027c014c028c02fc030003300670039006b009e009f004500be008800c40016002f003c0035003d009c009d004100ba008400c0c008c012000a01000049000d001600140403050306030203040105010601030102010101000a000c000a00170018001900150013000b000201000000001500130000106d6f6f6e2e696e742e636369672e706c NAS-Identifier = "xxx" State = 0xabbe8980abbf9c62469ee671636876ab Message-Authenticator = 0x8753091a175404cac7110ea5a622c82a # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "xxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 1 length 205 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 195 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< Unknown TLS version [length 00be] [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> Unknown TLS version [length 0034] [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> Unknown TLS version [length 02c6] [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> Unknown TLS version [length 014d] [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> Unknown TLS version [length 0004] [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 247 to 127.0.0.1 port 41457 EAP-Message = 0x0102040015c00000045f16030300340200003003039133f78dbb4a2fd7a086f78271b18d472b8e3f9a24cf88c85fefa041a396614b00c013000008000b00040300010216030302c60b0002c20002bf0002bc308202b8308201a0a003020102020900f25943f5edd1f259300d06092a864886f70d01010b0500301431123010060355040313096c6f63616c686f7374301e170d3135303531353133313833365a170d3235303531323133313833365a301431123010060355040313096c6f63616c686f737430820122300d06092a864886f70d01010105000382010f003082010a0282010100d60d70fda5d3dc73b6f490dde396e249b5f4ed9ab84209 EAP-Message = 0x65a696f9147657575a9c96ca528986c48cbcb8a180d58d0ab3ca6ec6a645475be6a4bc8d4f653e0d674f5c650704e10ad0498bc553b4b86ed39507ec8c7ff843e3c95ab7a6ae1318edd8d21c4e8875f38aef3d5148306f5f35c8c27f032a541a4d71ec9d02b70502241bb90bbb60d476d33263924f5f0e256f283617cd9780a9fb7235e6f721ab5274028dd8608c5b1b981af461a0de1cc24231de37b4f8fdeea51f0704fb69d7d15b08d1696245a9ec41ef1217886079fb904b69a94a18850f4466ad3a02b93b8f31513380bff48b14fb078107bf7315a24ddd5c5291e2ccefc90e5fb7843736f94f0203010001a30d300b30090603551d1304023000 EAP-Message = 0x300d06092a864886f70d01010b050003820101008fd5f2ec9307ad98a5dbf620f21b24f98cf32ed1a453bcf22085e9692fb5977e35ff5f0f6aefadc54842a27aa218781437dbaa12faed330c7cc83b03050fba03df50b7fd0ce055ee9054eb68419972d23bbc3db135fa1b82cfe35d643a08604efea8e7c172d7f6bb36952dac4b7aeb2487348dec01e8db8439c148d93cfcda6f71cecf8fa95608a18878223271e6d3968c9ebc5a874a35a6daefd538f869cfb34da300dc28d66f241139effcb13fc1020616b089b2eeffc3f0c5fd91a8f6fa42c6d3e4af83a16baf71070ed626361dac26a24164e975c4f183e7ecde28c737019b90c0eec445dc5c76 EAP-Message = 0xae8c81dd943c66e928762e55622a0b19d7c9f0ddb7ffff160303014d0c00014903001741048e7fe751552742003b186c7c3534cd294315fb4afb7d1191e3923cd601b69b0b683e76c3fc3a3dfb78c8c9d375e935410315b7952a3f6fda178961e26091a38b040101004f0e161de68fcca962694554b02d8309d071adf0c2c64bbb85621ed5ef227ba40ce6b4c1e2d3a02d43c18a4f79ded7db78f53d1e2c44d51b083a1d102aead8c8690e1d576a54ce475945dc1a3e8ce9e9f9b551cf5c05ec60dc97e00dc08607a149cf4b31b346ba259d0bcfd572922b1c6106f065ac2f0d800174716e7b82d157bcfa0387c21499a2e02ca2ac443474ca0a87198c EAP-Message = 0x4e7414ea4ce39155cc8a4031 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xabbe8980aabc9c62469ee671636876ab Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 41457, id=248, length=178 User-Name = "xxx" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 11 NAS-Port-Id = "ikev1_iPhone" NAS-IP-Address = 55.55.55.55 Called-Station-Id = "55.55.55.55[500]" Calling-Station-Id = "10.8.0.41[500]" EAP-Message = 0x0202001115800000000715030300020231 NAS-Identifier = "xxx" State = 0xabbe8980aabc9c62469ee671636876ab Message-Authenticator = 0xb28272a72ca2d41818e008e8659849f9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "xxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 2 length 17 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 7 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< Unknown TLS version [length 0002] TLS Alert read:fatal:access denied TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [ttls] eaptls_process returned 4 [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect (TLS Alert read:fatal:access denied): [xxx/<via Auth-Type = EAP>] (from client localhost port 11 cli 10.8.0.41[500]) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> xxx attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 248 to 127.0.0.1 port 41457 EAP-Message = 0x04020004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 246 with timestamp +6 Cleaning up request 1 ID 247 with timestamp +6 Waking up in 1.0 seconds. Gabriel