Hi, I recently got a VPS for my RADIUS server as I am having issues keeping my local server online due to prolonged rolling blackouts. My new server is Ubuntu 22.04.2 and I have installed the latest FreeRADIUS v3.2.3 and I am using MySQL. My FreeRADIUS server is working perfectly for PPPoE authentication on Mikrotik. My problem comes in on my Ubiquiti Sectors where I have WPA2-Enterprise Authentication on the WiFi devices. My old server is running Ubuntu 18 with FreeRadius v3.0, and on that server my WPA2-Enterprise authentication is working perfectly. The error I am getting on the new server looks like this in the log file: (6) eap: Calling submodule eap_peap to process data (6) eap_peap: (TLS) EAP Peer says that the final record size will be 62 bytes (6) eap_peap: (TLS) EAP Got all data (62 bytes) (6) eap_peap: (TLS) Handshake state - before SSL initialization (6) eap_peap: (TLS) Handshake state - Server before SSL initialization (6) eap_peap: (TLS) Handshake state - Server before SSL initialization (6) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello (6) eap_peap: (TLS) send TLS 1.0 Alert, fatal protocol_version (6) eap_peap: ERROR: (TLS) Alert write:fatal:protocol version (6) eap_peap: ERROR: (TLS) Server : Error in error (6) eap_peap: ERROR: (TLS) Failed reading from OpenSSL: error:0A000102:SSL routines::unsupported protocol (6) eap_peap: ERROR: (TLS) System call (I/O) error (-1) (6) eap_peap: ERROR: (TLS) EAP Receive handshake failed during operation (6) eap_peap: ERROR: [eaptls process] = fail (6) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (6) eap: Sending EAP Failure (code 4) ID 1 length 4 (6) eap: Failed in EAP select (6) [eap] = invalid (6) } # authenticate = invalid (6) Failed to authenticate the user The problem looks like the client is sending a TLS 1.3 Handshake, and FreeRADIUS is replying with a TLS 1.0 reply. I have also noticed that Ubuntu 22 is using OpenSSL 3.0.2 15 and Ubuntu 18 was using OpenSSL 1.1.1. And this is where, I suspect, my problem is, but I am unsure how to get around this. What I have tried: * Setting TLS Max version to 1.3 in eap config * Removing OpenSSL v3.0 and installing OpenSSL v1.1.1 on ubuntu 22, but this broke and removed a lot of stuff. * Downgraded to FreeRADIUS 3.0, same problem. I could just get a VPS with Ubuntu 18, but this realy defeats the point as Ubuntu 18 is almost at end of life, and having the latest OS would be a good option. Is there anyone out there that got WPA2-Enterprise authentication working on FreeRADIUS 3.0 or 3.2 on Ubuntu 22? Thanks Roudi
On Jun 24, 2023, at 12:52 PM, Roudi via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I recently got a VPS for my RADIUS server as I am having issues keeping my local server online due to prolonged rolling blackouts.
My new server is Ubuntu 22.04.2 and I have installed the latest FreeRADIUS v3.2.3 and I am using MySQL. My FreeRADIUS server is working perfectly for PPPoE authentication on Mikrotik. My problem comes in on my Ubiquiti Sectors where I have WPA2-Enterprise Authentication on the WiFi devices. My old server is running Ubuntu 18 with FreeRadius v3.0, and on that server my WPA2-Enterprise authentication is working perfectly.
The error I am getting on the new server looks like this in the log file:
(6) eap: Calling submodule eap_peap to process data (6) eap_peap: (TLS) EAP Peer says that the final record size will be 62 bytes (6) eap_peap: (TLS) EAP Got all data (62 bytes) (6) eap_peap: (TLS) Handshake state - before SSL initialization (6) eap_peap: (TLS) Handshake state - Server before SSL initialization (6) eap_peap: (TLS) Handshake state - Server before SSL initialization (6) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello (6) eap_peap: (TLS) send TLS 1.0 Alert, fatal protocol_version
That's the critical message.
The problem looks like the client is sending a TLS 1.3 Handshake, and FreeRADIUS is replying with a TLS 1.0 reply.
Yes. But that's not happening. OpenSSL is lying to us. What's really happening is that the supplicant is sending a TLS 1.0 handshake, and OpenSSL tells FreeRADIUS it's TLS 1.3. That information is only used for this message, and FreeRADIUS knows to ignore it. OpenSSL will later change its mind, and tell us the correct version of TLS. Since the client is sending TLS 1.0, FreeRADIUS has to send back TLS 1.0 in any message back to the client. So that's what is really happening.
I have also noticed that Ubuntu 22 is using OpenSSL 3.0.2 15 and Ubuntu 18 was using OpenSSL 1.1.1. And this is where, I suspect, my problem is, but I am unsure how to get around this.
Ubuntu 18 allows TLS 1.0. Ubuntu 22 doesn't. You should really upgrade the supplicant to use TLS 1.2. TLS 1.0 has been out of date for a very long time. It's also been officially deprecated, which is why Ubuntu 22 doesn't allow you to use it.
What I have tried: * Setting TLS Max version to 1.3 in eap config
Se tls_min_version = 1.0 And then update the various other configuration options for TLS 1.0. See mods-available/eap, and look for "TLS 1.0".
Is there anyone out there that got WPA2-Enterprise authentication working on FreeRADIUS 3.0 or 3.2 on Ubuntu 22?
Yes: * use TLS 1.2, and there will be nothing special required * if the suppliants use TLS 1.0, then upgrade them. * otherwise if you can't upgrade, then configure FreeRADIUS for TLS 1.0 as described above. But using TLS 1.0 is a bad idea. Old / insecure protocols shouldn't be used. Alan DeKok.
participants (2)
-
Alan DeKok -
roudi@rjbsoft.co.za