[ttls] <<< Unknown TLS version [length 0002]
Problem with TTLS setup. EAP clients negotiate TLSv1.2 but FR reports "Unknown TLS version". Any idea? ######################## freeradius: FreeRADIUS Version 2.2.7, for host x86_64-pc-linux-gnu, built on May 20 2015 at 15:09:29 Copyright (C) 1999-2015 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. ######################## OpenSSL 1.0.1f 6 Jan 2014 ######################## rad_recv: Access-Request packet from host 127.0.0.1 port 41457, id=246, length=163 User-Name = "xxx" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 11 NAS-Port-Id = "ikev1_iPhone" NAS-IP-Address = 55.55.55.55 Called-Station-Id = "55.55.55.55[500]" Calling-Station-Id = "10.8.0.41[500]" EAP-Message = 0x02000014016761627269656c2e736b757069656e NAS-Identifier = "xxx" Message-Authenticator = 0x3081d2a8deb390730c6a4549a473d550 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "xxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 0 length 20 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 246 to 127.0.0.1 port 41457 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xabbe8980abbf9c62469ee671636876ab Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 41457, id=247, length=366 User-Name = "xxx" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 11 NAS-Port-Id = "ikev1_iPhone" NAS-IP-Address = 55.55.55.55 Called-Station-Id = "55.55.55.55[500]" Calling-Station-Id = "10.8.0.41[500]" EAP-Message = 0x020100cd1580000000c316030300be010000ba0303555c8c48a01b005b0cd652b9a53aa87fbbaa396563f547fd22c3c9c2484d36a4000048c009c023c00ac024c02bc02cc013c027c014c028c02fc030003300670039006b009e009f004500be008800c40016002f003c0035003d009c009d004100ba008400c0c008c012000a01000049000d001600140403050306030203040105010601030102010101000a000c000a00170018001900150013000b000201000000001500130000106d6f6f6e2e696e742e636369672e706c NAS-Identifier = "xxx" State = 0xabbe8980abbf9c62469ee671636876ab Message-Authenticator = 0x8753091a175404cac7110ea5a622c82a # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "xxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 1 length 205 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 195 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< Unknown TLS version [length 00be] [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> Unknown TLS version [length 0034] [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> Unknown TLS version [length 02c6] [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> Unknown TLS version [length 014d] [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> Unknown TLS version [length 0004] [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 247 to 127.0.0.1 port 41457 EAP-Message = 0x0102040015c00000045f16030300340200003003039133f78dbb4a2fd7a086f78271b18d472b8e3f9a24cf88c85fefa041a396614b00c013000008000b00040300010216030302c60b0002c20002bf0002bc308202b8308201a0a003020102020900f25943f5edd1f259300d06092a864886f70d01010b0500301431123010060355040313096c6f63616c686f7374301e170d3135303531353133313833365a170d3235303531323133313833365a301431123010060355040313096c6f63616c686f737430820122300d06092a864886f70d01010105000382010f003082010a0282010100d60d70fda5d3dc73b6f490dde396e249b5f4ed9ab84209 EAP-Message = 0x65a696f9147657575a9c96ca528986c48cbcb8a180d58d0ab3ca6ec6a645475be6a4bc8d4f653e0d674f5c650704e10ad0498bc553b4b86ed39507ec8c7ff843e3c95ab7a6ae1318edd8d21c4e8875f38aef3d5148306f5f35c8c27f032a541a4d71ec9d02b70502241bb90bbb60d476d33263924f5f0e256f283617cd9780a9fb7235e6f721ab5274028dd8608c5b1b981af461a0de1cc24231de37b4f8fdeea51f0704fb69d7d15b08d1696245a9ec41ef1217886079fb904b69a94a18850f4466ad3a02b93b8f31513380bff48b14fb078107bf7315a24ddd5c5291e2ccefc90e5fb7843736f94f0203010001a30d300b30090603551d1304023000 EAP-Message = 0x300d06092a864886f70d01010b050003820101008fd5f2ec9307ad98a5dbf620f21b24f98cf32ed1a453bcf22085e9692fb5977e35ff5f0f6aefadc54842a27aa218781437dbaa12faed330c7cc83b03050fba03df50b7fd0ce055ee9054eb68419972d23bbc3db135fa1b82cfe35d643a08604efea8e7c172d7f6bb36952dac4b7aeb2487348dec01e8db8439c148d93cfcda6f71cecf8fa95608a18878223271e6d3968c9ebc5a874a35a6daefd538f869cfb34da300dc28d66f241139effcb13fc1020616b089b2eeffc3f0c5fd91a8f6fa42c6d3e4af83a16baf71070ed626361dac26a24164e975c4f183e7ecde28c737019b90c0eec445dc5c76 EAP-Message = 0xae8c81dd943c66e928762e55622a0b19d7c9f0ddb7ffff160303014d0c00014903001741048e7fe751552742003b186c7c3534cd294315fb4afb7d1191e3923cd601b69b0b683e76c3fc3a3dfb78c8c9d375e935410315b7952a3f6fda178961e26091a38b040101004f0e161de68fcca962694554b02d8309d071adf0c2c64bbb85621ed5ef227ba40ce6b4c1e2d3a02d43c18a4f79ded7db78f53d1e2c44d51b083a1d102aead8c8690e1d576a54ce475945dc1a3e8ce9e9f9b551cf5c05ec60dc97e00dc08607a149cf4b31b346ba259d0bcfd572922b1c6106f065ac2f0d800174716e7b82d157bcfa0387c21499a2e02ca2ac443474ca0a87198c EAP-Message = 0x4e7414ea4ce39155cc8a4031 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xabbe8980aabc9c62469ee671636876ab Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 41457, id=248, length=178 User-Name = "xxx" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 11 NAS-Port-Id = "ikev1_iPhone" NAS-IP-Address = 55.55.55.55 Called-Station-Id = "55.55.55.55[500]" Calling-Station-Id = "10.8.0.41[500]" EAP-Message = 0x0202001115800000000715030300020231 NAS-Identifier = "xxx" State = 0xabbe8980aabc9c62469ee671636876ab Message-Authenticator = 0xb28272a72ca2d41818e008e8659849f9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "xxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 2 length 17 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 7 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< Unknown TLS version [length 0002] TLS Alert read:fatal:access denied TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [ttls] eaptls_process returned 4 [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect (TLS Alert read:fatal:access denied): [xxx/<via Auth-Type = EAP>] (from client localhost port 11 cli 10.8.0.41[500]) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> xxx attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 248 to 127.0.0.1 port 41457 EAP-Message = 0x04020004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 246 with timestamp +6 Cleaning up request 1 ID 247 with timestamp +6 Waking up in 1.0 seconds. Gabriel
On May 20, 2015, at 9:50 AM, gabriel_skupien <gabriel_skupien@o2.pl> wrote:
Problem with TTLS setup. EAP clients negotiate TLSv1.2 but FR reports "Unknown TLS version". Any idea?
It's a TLS issue. Either OpenSSL doesn't understand TLSv1.2, or FreeRADIUS was built using the wrong version of OpenSSL. Use wireshark to grab the packets. It should decode all of the TLS data, including the TLS version. Then, check the version. Alan DeKok.
On 20 May 2015, at 10:02, Alan DeKok <aland@deployingradius.com> wrote:
On May 20, 2015, at 9:50 AM, gabriel_skupien <gabriel_skupien@o2.pl> wrote:
Problem with TTLS setup. EAP clients negotiate TLSv1.2 but FR reports "Unknown TLS version". Any idea?
It's a TLS issue. Either OpenSSL doesn't understand TLSv1.2, or FreeRADIUS was built using the wrong version of OpenSSL.
I'm fairly sure this was a cosmetic issue that was fixed recently when we were looking at tls 1.2 and wpa_supplicant. OP will likely find it works as expected in v3.0.8, can't remember if it was backported to v2.2.x. If it wasn't, I vote nofix because v2.2.x is EOL and OP should upgrade to v3.0.8. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
gabriel_skupien