Ah, I read that it doesn't support 1.3 (that's why I had 1.2 set) but I missed the note about 1.2/1.1. Thanks. So now freeradius sends a response, but it still ends up with: (2) eap: Calling submodule eap_fast to process data (2) eap_fast: Authenticate (2) eap_fast: Continuing EAP-TLS (2) eap_fast: [eaptls verify] = ok (2) eap_fast: Done initial handshake (2) eap_fast: (other): before SSL initialization (2) eap_fast: TLS_accept: before SSL initialization (2) eap_fast: TLS_accept: before SSL initialization (2) eap_fast: <<< recv TLS 1.3 [length 005a] (2) eap_fast: >>> send TLS 1.1 [length 0002] (2) eap_fast: ERROR: TLS Alert write:fatal:handshake failure tls: TLS_accept: Error in error (2) eap_fast: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher (2) eap_fast: ERROR: System call (I/O) error (-1) (2) eap_fast: ERROR: TLS receive handshake failed during operation (2) eap_fast: ERROR: [eaptls process] = fail (2) eap: ERROR: Failed continuing EAP FAST (43) session. EAP sub-module failed (2) eap: Sending EAP Failure (code 4) ID 209 length 4 cipher_list is set to "ALL:!EXPORT:!eNULL:!SSLv2@SECLEVEL=0" in fast {...} and "ALL:!EXPORT:!eNULL:!SSLv2" in tls-config tls-common { ...} as the comments in mods-available/eap suggest. Does that mean that the access point insists on a newer version of TLS? Thanks Sebastian Am Do., 29. Okt. 2020 um 12:37 Uhr schrieb Alan DeKok <aland@deployingradius.com>:
On Oct 29, 2020, at 5:14 AM, Sebastian <radius@wehle.dev> wrote:
I try to do an 802.1x authentication of Cisco access points on Aruba switches against Freeradius 3.0.21-1 under Debian 10.6.
The APs prefer to do EAP-FAST so I enabled the relevant parts in modules-enabled/eap but whenever a EAP-FAST request arrives now, it throws this: (2) eap: Calling submodule eap_fast to process data (2) eap_fast: Authenticate (2) eap_fast: Continuing EAP-TLS (2) eap_fast: [eaptls verify] = ok (2) eap_fast: Done initial handshake (2) eap_fast: (other): before SSL initialization (2) eap_fast: >>> send TLS 1.3 [length 0002]
There is no standard for using TLS 1.3 with *any* EAP method.
The EAP-FAST implementation in FreeRADIUS uses only TLS 1.1.
I tried to change tls_max_version from 1.2 to 1.3 but that didn't change anything.
Change it to 1.1.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html