I checked and enabled TLS 1.1 and 1.2 as described. With 1.0 + 1.1 + 1.2 enabled, the problem stays the same. With 1.0 disabled, and 1.1 + 1.2 enabled, the problem changes. I now get a "WARNING: !! EAP session for state 0x*************** did not finish!". I searched: this is usually a certificate or MTU problem. I do not use certificates at the moment. In Windows configuration 'check server certificate' is not checked. I changed the MTU of the client from 1500 to 1250 and 1000, without success. What else can be causing this? Jochem IOLAN B.V. • Mon Plaisir 26 • 4879 AN Etten-Leur • The Netherlands T +31 (0)76 50 26 100 • F +31 (0)76 50 26 199 E iolan@iolan.com • I http://www.iolan.com/ De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents here in and notify the sender immediately by return e-mail. -----Oorspronkelijk bericht----- Van: Freeradius-Users [mailto:freeradius-users-bounces+j.sparla=iolan.com@lists.freeradius.org] Namens L.P.H. van Belle via Freeradius-Users Verzonden: vrijdag 20 november 2020 16:37 Aan: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> CC: L.P.H. van Belle <belle@bazuin.nl> Onderwerp: RE: EAP fails on TLS protocol version with Windows 7, works fine with Windows 10 Google KB3140245 and/or https://manage.accuwebhosting.com/knowledgebase/3008/How-do-I-enable-TLS-1-2... might help you. Greetz, Louis
-----Oorspronkelijk bericht----- Van: Freeradius-Users [mailto:freeradius-users-bounces+belle=bazuin.nl@lists.freerad ius.org] Namens Jochem Sparla Verzonden: vrijdag 20 november 2020 16:33 Aan: freeradius-users@lists.freeradius.org Onderwerp: EAP fails on TLS protocol version with Windows 7, works fine with Windows 10
I have a setup with a Windows 7 and Windows 10 computer authenticating with FreeRADIUS 3.0.20 running on Ubuntu 20.04.
The Windows 7 client fails due to a TLS protocol version error: (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: <<< recv TLS 1.3 [length 0062] (2) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version (2) eap_peap: ERROR: TLS Alert write:fatal:protocol version tls: TLS_accept: Error in error (2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol (2) eap_peap: ERROR: System call (I/O) error (-1) (2) eap_peap: ERROR: TLS receive handshake failed during operation (2) eap_peap: ERROR: [eaptls process] = fail (2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (2) eap: Sending EAP Failure (code 4) ID 3 length 4 (2) eap: Failed in EAP select (2) [eap] = invalid (2) } # authenticate = invalid (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject
The Windows 10 client, with the same settings on both the client, switch and the same RADIUS server, works fine: (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: <<< recv TLS 1.3 [length 0097] (2) eap_peap: TLS_accept: SSLv3/TLS read client hello (2) eap_peap: >>> send TLS 1.2 [length 003d] (2) eap_peap: TLS_accept: SSLv3/TLS write server hello (2) eap_peap: >>> send TLS 1.2 [length 0308] (2) eap_peap: TLS_accept: SSLv3/TLS write certificate (2) eap_peap: >>> send TLS 1.2 [length 014d] (2) eap_peap: TLS_accept: SSLv3/TLS write key exchange (2) eap_peap: >>> send TLS 1.2 [length 0004] (2) eap_peap: TLS_accept: SSLv3/TLS write server done (2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (2) eap_peap: TLS - In Handshake Phase (2) eap_peap: TLS - got 1194 bytes of data (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 4 length 1004 (2) eap: EAP session adding &reply:State = 0x30a058ae32a441c4 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge
TLS is configured in mods-enabled/eap: tls_max_version = "1.2" tls_min_version = "1.0"
I have been breaking my head and searching this for multiple days. The problem does not seem to be in the lack of TLS 1.3 support in FreeRADIUS/OpenSSL1.1.1f, because the Win10 client works fine. It starts by asking for TLS 1.3, but gets set to TLS 1.2 and works. I seems my standard Windows 7 client (fully up to date) sends a bad TLS message, but I have no clue where to look for a solution.
Thanks in advance, Jochem
IOLAN B.V. • Mon Plaisir 26 • 4879 AN Etten-Leur • The Netherlands T +31 (0)76 50 26 100 • F +31 (0)76 50 26 199 E iolan@iolan.com • I http://www.iolan.com/
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents here in and notify the sender immediately by return e-mail.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html