On 23 Sep 2015, at 14:04, Rohan Mahy <rohan.mahy@gmail.com> wrote:
Hi, I am trying to debug an EAP-TTLS handshake problem between FreeRADIUS 2.2.4 with OpenSSL 1.0.1f and Mac OS X 10.10.5 and 10.9.5. The Macs are using WPA2 Enterprise / 802.1x through a Meraki MR34 Access Point. This configuration works fine with Windows 8 and Android 4.4.1.
My questions for the FreeRADIUS folks:
a) Is there a way that I can view the decoded TLS attributes from the TLS handshake? (I'm already running with the -X option). For example, I'd like to see what ciphersuites are being proposed and any additional attributes in the the ClientHello.
Maybe more -x arguments, but I don't think so. If you feel like running a v3.1.x version, i'd be happy to work with you to add additional debugging.
b) FreeRADIUS/OpenSSL and these versions of Mac OS X can all do TLS 1.2. Does the text "TLS 1.0 Handshake" in the log really mean that it is only using TLS 1.0 instead of TLS 1.2?
For 2.2.4, yes.
c) There is a message in the log "TLS_accept: failed in SSLv3 read client certificate A". Does this mean that there was a client certificate presented by the client? (there shouldn't be a client cert at all)
In this case it looks like the client sent a TLS notice saying it was closing the TLS session (instead of a certificate). The error message is misleading.
d) Does anyone have any other suggestions to make this work? I already tried setting the cipher_list to well used ciphers that the Macs generally like ('AES+aRSA') and got the same result. (The trace below is with the default cipher_list).
Debugging logs on the supplicant are your best bet. This isn't an MTU issue or a misconfiguration of the NAS/FreeRADIUS AFAICT. The supplicant is likely rejecting the server certificate for some reason. Double check you provided the complete certificate chain, that the Root CA is trusted, that the CN in the server certificate is correct for the wireless profile. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2