On Sep 17, 2024, at 12:46 PM, Rodrigo Abrantes Antunes <rodrigoantunes@pelotas.ifsul.edu.br> wrote:
## REJECTED .. (911) eap_peap: (TLS) send TLS 1.2 Alert, fatal protocol_version (911) eap_peap: ERROR: (TLS) Alert write:fatal:protocol version
Ah, that's the other end saying it doesn't like the protocol version which FreeRADIUS is using.
It should negotiate a mutually compatible TLS version, but... whatever.
Doesn't cipher_list = "DEFAULT@SECLEVEL=0" says the server to support the old ciphers?
That configuratio tells OpenSSL to support the old ciphers. Mostly.
Some newer OS distributions have removed support for old TLS versions from OpenSSL. You will need to investigate your local OS to see what it supports, and what TLS versions are supported by the OpenSSL libraries.
Again... this isn't a FreeRADIUS issue. No amount of poking FreeRADIUS will get OpenSSL to support TLS 1.0 with triple-DES, if that's what the clients are using. You night just need to upgrade the client, or build a custom version of OpenSSL.
Configure OpenSSL (e.g. cipher_list) so that it works with a new version of OpenSSL. Or, use an old version of OpenSSL. There really aren't many other choices.
What are the other choices possible?
Live with the fact the some devices won't work, because they're too old.
What can explain that sometimes the same clients get accepted? I have sent the accept log in the other email. I kick the user from the wireless controller and it get accepted, but after some time it get rejected but soon it get accepted again, it seems to be random (see below). Could be that the client or the server is doing some kind of failover? Trying one version, if it dont work try another? If yes, is this configurable? 2024-09-17T13:34:00.037165-03:00 ifs01sv004 radiusd[124150]: (4131) Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc port 1 cli 70-18-8b-fd-8f-e5) 2024-09-17T13:34:18.500907-03:00 ifs01sv004 radiusd[124150]: (4757) Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc port 0 via TLS tunnel) 2024-09-17T13:34:18.504874-03:00 ifs01sv004 radiusd[124150]: (4758) Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc port 1 cli 2a-93-80-4d-f3-c3) 2024-09-17T13:36:52.439539-03:00 ifs01sv004 radiusd[124150]: (7831) Login incorrect (eap_peap: (TLS) Alert write:fatal:protocol version): [202011160097/<via Auth-Type = eap>] (from client cisco-wlc port 1 cli 2a-93-80-4d-f3-c3) 2024-09-17T13:37:58.161709-03:00 ifs01sv004 radiusd[124150]: (9110) Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc port 0 via TLS tunnel) 2024-09-17T13:37:58.166535-03:00 ifs01sv004 radiusd[124150]: (9112) Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc port 1 cli 2a-93-80-4d-f3-c3) 2024-09-17T13:38:19.715578-03:00 ifs01sv004 radiusd[124150]: (9543) Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc port 0 via TLS tunnel) 2024-09-17T13:38:19.720846-03:00 ifs01sv004 radiusd[124150]: (9544) Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc port 1 cli 2a-93-80-4d-f3-c3) 2024-09-17T13:38:54.160824-03:00 ifs01sv004 radiusd[124150]: (10034) Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc port 0 via TLS tunnel) 2024-09-17T13:38:54.171994-03:00 ifs01sv004 radiusd[124150]: (10035) Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc port 1 cli 2a-93-80-4d-f3-c3) 2024-09-17T13:41:08.645238-03:00 ifs01sv004 radiusd[124150]: (11986) Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc port 0 via TLS tunnel) 2024-09-17T13:41:08.650699-03:00 ifs01sv004 radiusd[124150]: (11987) Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc port 1 cli 2a-93-80-4d-f3-c3) 2024-09-17T13:43:23.660156-03:00 ifs01sv004 radiusd[124150]: (14127) Login incorrect (eap_peap: (TLS) Alert write:fatal:protocol version): [202011160097/<via Auth-Type = eap>] (from client cisco-wlc port 1 cli 2a-93-80-4d-f3-c3) 2024-09-17T13:43:38.674200-03:00 ifs01sv004 radiusd[124150]: (14462) Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc port 0 via TLS tunnel) 2024-09-17T13:43:38.678449-03:00 ifs01sv004 radiusd[124150]: (14463) Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc port 1 cli 2a-93-80-4d-f3-c3)