Hi Wondering if FreeRadius supports EAP TLS 1.2 authentication; our understanding is, if we have the OpenSSL version that supports the TLS 1.2 ciphers and FreeRadius EAP module is configured with the TLS 1.2 cipher, it should support. ISSUE: ===== Modem fails to do EAP TLS 1.2 authentication. Same modem successfully authenticates if it sends the SSL protocol of TLS 1.0 Want to make sure our FreeRadius configuration for EAP TLS 1.2 is correct. FreeRadius Version Details: ==================== Sat Jan 18 20:02:05 2014 : Info: radiusd: FreeRADIUS Version 3.0.0, for host x86_64-redhat-linux-gnu, built on Nov 19 2013 at 13:23:31 Sat Jan 18 20:02:05 2014 : Debug: Server was built with: Sat Jan 18 20:02:05 2014 : Debug: accounting Sat Jan 18 20:02:05 2014 : Debug: authentication Sat Jan 18 20:02:05 2014 : Debug: ascend binary attributes Sat Jan 18 20:02:05 2014 : Debug: coa Sat Jan 18 20:02:05 2014 : Debug: control-socket Sat Jan 18 20:02:05 2014 : Debug: detail Sat Jan 18 20:02:05 2014 : Debug: dhcp Sat Jan 18 20:02:05 2014 : Debug: dynamic clients Sat Jan 18 20:02:05 2014 : Debug: proxy Sat Jan 18 20:02:05 2014 : Debug: regex-pcre Sat Jan 18 20:02:05 2014 : Debug: session-management Sat Jan 18 20:02:05 2014 : Debug: stats Sat Jan 18 20:02:05 2014 : Debug: tcp Sat Jan 18 20:02:05 2014 : Debug: threads Sat Jan 18 20:02:05 2014 : Debug: tls Sat Jan 18 20:02:05 2014 : Debug: unlang Sat Jan 18 20:02:05 2014 : Debug: vmps Sat Jan 18 20:02:05 2014 : Debug: Server core libs: Sat Jan 18 20:02:05 2014 : Debug: talloc : 2.0.* Sat Jan 18 20:02:05 2014 : Debug: ssl : OpenSSL 1.0.0-fips 29 Mar 2010 SSL Version Details ============== OpenSSL 1.0.1e-fips 11 Feb 2013 OpenSSL ciphers: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-IDEA-CBC-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5 CONFIGURATION: ============== Sorry if we missed any additional documentation, for EAP TLS 1.2 authentication, we updated our eap configuration cipher: cipher_list = "AES256-SHA256" When the modem sends the protocol as TLS 1.0 - it authenticates successfully with the cipher_list "AES256-SHA256:AES128-SHA" or cipher_list set to "DEFAULT"; But, when modem sends the protocol as TLS 2.0; the authentication fails in EAP module, with following error: ERROR from radius log ================= With cipher set to (AES256-SHA256), we see following error in the log: (3) eap : EAP TLS (13) (3) eap : Calling eap_tls to process EAP data (3) eap_tls : Authenticate (3) eap_tls : processing EAP-TLS TLS Length 50 (3) eap_tls : Length Included (3) eap_tls : eaptls_verify returned 11 (3) eap_tls : (other): before/accept initialization (3) eap_tls : TLS_accept: before/accept initialization (3) eap_tls : <<< TLS 1.0 Handshake [length 002d], ClientHello (3) eap_tls : >>> TLS 1.0 Alert [length 0002], fatal handshake_failure [1m[31m(3) ERROR: eap_tls : SSL says: TLS Alert write:fatal:handshake failure[0m [1m[31m(3) ERROR: eap_tls : SSL says: TLS_accept: error in SSLv3 read client hello C[0m [1m[31m(3) ERROR: eap_tls : SSL says: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher[0m [31mSSL: SSL_read failed in a system call (-1), TLS session fails.[0m TLS receive handshake failed during operation (3) eap_tls : eaptls_process returned 4 [1m[31m(3) ERROR: eap : Failed continuing EAP TLS (13) session. EAP sub-module failed[0m (3) eap : Failed in EAP select (3) [eap] = invalid (3) } # Auth-Type eap = invalid (3) Failed to authenticate the user. Attached is the complete log with -X option. Access-Request - Packet Capture Detail - EAP Message: ========================================== Here is the Access-Request packet capture from modem showing the SSL protocol as TLS 1.2, along with the Cipher's being sent (0x003d - AES256-SHA256, and 0x002f - AES128-SHA) AVP: l=64 t=EAP-Message(79) Last Segment[1] EAP fragment Extensible Authentication Protocol Code: Response (2) Id: 1 Length: 62 Type: TLS EAP (EAP-TLS) (13) EAP-TLS Flags: 0x80 1... .... = Length Included: True .0.. .... = More Fragments: False ..0. .... = Start: False EAP-TLS Length: 52 Secure Sockets Layer SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 47 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 43 Version: TLS 1.2 (0x0303) Random gmt_unix_time: Jan 17, 2014 10:28:34.000000000 Pacific Standard Time random_bytes: 5aece723603b9f8864bfd0c80e592377f01f0b4cc787511d... Session ID Length: 0 Cipher Suites Length: 4 Cipher Suites (2 suites) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Please let us know if you need any additional information. Thanks -Hanu