Dear All, we're running FR 3.0.17 and currently have some trouble with Windows 10 Clients which since just recently no longer can connect to the PEAP/MS-CHAPv2-based eduroam network. According to the radius debug log the FR server sends an Access Accept to the NAS (Cisco WLC) but it then terminates with the information: ERROR: eap_peap: TLS Alert write:fatal:protocol version 53282519) Tue Nov 27 16:07:35 2018: Debug: Sent Access-Accept Id 251 from 131.152.21.100:1812 to 10.33.6.2:54247 length 0 (53282519) Tue Nov 27 16:07:35 2018: Debug: Tunnel-Type = VLAN (53282519) Tue Nov 27 16:07:35 2018: Debug: Tunnel-Medium-Type = IEEE-802 (53282519) Tue Nov 27 16:07:35 2018: Debug: Tunnel-Private-Group-Id = "822" (53282519) Tue Nov 27 16:07:35 2018: Debug: User-Name := "marcel.sumsander@unibas.ch" (53282519) Tue Nov 27 16:07:35 2018: Debug: Chargeable-User-Identity := 0x36353637356537306236383335323162656233383262323062616538613935393935303934323763 (53282519) Tue Nov 27 16:07:35 2018: Debug: MS-MPPE-Recv-Key = 0xde555d4feda0c69ee0c251195d63e1d0f81618a8781522cbe398610d7df41745 (53282519) Tue Nov 27 16:07:35 2018: Debug: MS-MPPE-Send-Key = 0xb3a46cb36458a0dda59935105ffc8bfd38e4141952800b3bb9f989192ada38b0 (53282519) Tue Nov 27 16:07:35 2018: Debug: EAP-Message = 0x030c0004 (53282519) Tue Nov 27 16:07:35 2018: Debug: Message-Authenticator = 0x00000000000000000000000000000000 (53282519) Tue Nov 27 16:07:35 2018: Debug: Finished request (53282373) Tue Nov 27 16:07:38 2018: Debug: Cleaning up request packet ID 241 with timestamp +2433639 (53282375) Tue Nov 27 16:07:38 2018: Debug: Cleaning up request packet ID 242 with timestamp +2433639 (53282376) Tue Nov 27 16:07:38 2018: Debug: Cleaning up request packet ID 243 with timestamp +2433639 (53282378) Tue Nov 27 16:07:38 2018: Debug: Cleaning up request packet ID 244 with timestamp +2433639 (53282379) Tue Nov 27 16:07:38 2018: Debug: Cleaning up request packet ID 245 with timestamp +2433639 (53282380) Tue Nov 27 16:07:38 2018: Debug: Cleaning up request packet ID 246 with timestamp +2433639 (53282493) Tue Nov 27 16:07:39 2018: Debug: Cleaning up request packet ID 247 with timestamp +2433640 (53282497) Tue Nov 27 16:07:39 2018: Debug: Cleaning up request packet ID 248 with timestamp +2433640 (53282502) Tue Nov 27 16:07:39 2018: Debug: Cleaning up request packet ID 249 with timestamp +2433640 (53282509) Tue Nov 27 16:07:40 2018: Debug: Cleaning up request packet ID 250 with timestamp +2433640 (53282519) Tue Nov 27 16:07:40 2018: Debug: Cleaning up request packet ID 251 with timestamp +2433641 (53283340) Tue Nov 27 16:07:46 2018: ERROR: eap_peap: TLS Alert write:fatal:protocol version It looks like a TLS mismtach but not sure. Any experiences with this ? Which TLS versions are supported by FR 3.0.17 ? Thanks and BR, Thorsten
On Nov 27, 2018, at 12:37 PM, Thorsten Fritsch <thorsten.fritsch@unibas.ch> wrote:
we're running FR 3.0.17 and currently have some trouble with Windows 10 Clients which since just recently no longer can connect to the PEAP/MS-CHAPv2-based eduroam network.
According to the radius debug log the FR server sends an Access Accept to the NAS (Cisco WLC) but it then terminates with the information: ERROR: eap_peap: TLS Alert write:fatal:protocol version
Likely due to TLS 1.2.
53282519) Tue Nov 27 16:07:35 2018: Debug: Sent Access-Accept Id 251 from 131.152.21.100:1812 to 10.33.6.2:54247 length 0 (53282519) Tue Nov 27 16:07:35 2018: Debug: Tunnel-Type = VLAN
Don't sent "radiusd -Xx" please... all of the documentation says to just use "radiusd -X".
It looks like a TLS mismtach but not sure. Any experiences with this ? Which TLS versions are supported by FR 3.0.17 ?
FreeRADIUS uses OpenSSL for TLS. So check your OpenSSL library. Odds are that you're running a version / OS which is a few years old, and doesn't support TLS 1.2. You'll have to upgrade to a recent release of OpenSSL in order to fix that. Which likely means upgrading the entire OS, as OpenSSL is used by many applications. Alan DeKok.
On Nov 28, 2018, at 6:48 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Nov 27, 2018, at 12:37 PM, Thorsten Fritsch <thorsten.fritsch@unibas.ch> wrote:
we're running FR 3.0.17 and currently have some trouble with Windows 10 Clients which since just recently no longer can connect to the PEAP/MS-CHAPv2-based eduroam network.
According to the radius debug log the FR server sends an Access Accept to the NAS (Cisco WLC) but it then terminates with the information: ERROR: eap_peap: TLS Alert write:fatal:protocol version
Likely due to TLS 1.2.
53282519) Tue Nov 27 16:07:35 2018: Debug: Sent Access-Accept Id 251 from 131.152.21.100:1812 to 10.33.6.2:54247 length 0 (53282519) Tue Nov 27 16:07:35 2018: Debug: Tunnel-Type = VLAN
Don't sent "radiusd -Xx" please... all of the documentation says to just use "radiusd -X".
It looks like a TLS mismtach but not sure. Any experiences with this ? Which TLS versions are supported by FR 3.0.17 ?
FreeRADIUS uses OpenSSL for TLS. So check your OpenSSL library.
Odds are that you're running a version / OS which is a few years old, and doesn't support TLS 1.2. You'll have to upgrade to a recent release of OpenSSL in order to fix that.
radiusd -Xv should show you the version of OpenSSL the server is linked against. -Arran
Thanks. we're running on Ubuntu 16.04.5 LTS. Sorry about the very verbose debug output. I took it with raddebug and didn't know that's very verbose by default. Will take it to heart next time... Unfortunately freeradius -Xv doesn't show the linked OpenSSL server on our system: root@its-edurad-qm:~# freeradius -Xv radiusd: FreeRADIUS Version 3.0.17, for host x86_64-pc-linux-gnu FreeRADIUS Version 3.0.17 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT It really seems to go into that direction - I found the following article: https://support.microsoft.com/en-us/help/3121002/windows-10-devices-can-t-co... Thanks- Thorsten From: arr2036 [via FreeRADIUS] <ml+s1045715n5752781h6@n5.nabble.com> Sent: Thursday, 29 November 2018 02:27 To: Thorsten Fritsch <thorsten.fritsch@unibas.ch> Subject: Re: FreeRadius 3.0.17 - TLS issue
On Nov 28, 2018, at 6:48 AM, Alan DeKok <[hidden email]</user/SendEmail.jtp?type=node&node=5752781&i=0>> wrote:
On Nov 27, 2018, at 12:37 PM, Thorsten Fritsch <[hidden email]</user/SendEmail.jtp?type=node&node=5752781&i=1>> wrote:
we're running FR 3.0.17 and currently have some trouble with Windows 10 Clients which since just recently no longer can connect to the PEAP/MS-CHAPv2-based eduroam network.
According to the radius debug log the FR server sends an Access Accept to the NAS (Cisco WLC) but it then terminates with the information: ERROR: eap_peap: TLS Alert write:fatal:protocol version
Likely due to TLS 1.2.
53282519) Tue Nov 27 16:07:35 2018: Debug: Sent Access-Accept Id 251 from 131.152.21.100:1812 to 10.33.6.2:54247 length 0 (53282519) Tue Nov 27 16:07:35 2018: Debug: Tunnel-Type = VLAN
Don't sent "radiusd -Xx" please... all of the documentation says to just use "radiusd -X".
It looks like a TLS mismtach but not sure. Any experiences with this ? Which TLS versions are supported by FR 3.0.17 ?
FreeRADIUS uses OpenSSL for TLS. So check your OpenSSL library.
Odds are that you're running a version / OS which is a few years old, and doesn't support TLS 1.2. You'll have to upgrade to a recent release of OpenSSL in order to fix that.
radiusd -Xv should show you the version of OpenSSL the server is linked against. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ________________________________ If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/FreeRadius-3-0-17-TLS-issue-tp575276... To unsubscribe from Users, click here<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2740693&code=dGhvcnN0ZW4uZnJpdHNjaEB1bmliYXMuY2h8Mjc0MDY5M3w1ODEyOTcyNzM=>. NAML<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
On Nov 29, 2018, at 9:19 AM, Thorsten Fritsch <thorsten.fritsch@unibas.ch> wrote:
we're running on Ubuntu 16.04.5 LTS. Sorry about the very verbose debug output. I took it with raddebug and didn't know that's very verbose by default. Will take it to heart next time...
Unfortunately freeradius -Xv doesn't show the linked OpenSSL server on our system:
root@its-edurad-qm:~# freeradius -Xv
This is one of the few cases where more is better. Use "freeradius -Xxv", and you'll get output like this: Thu Nov 29 09:22:41 2018 : Info: radiusd: FreeRADIUS Version 3.0.18 (git #f2d93cf), for host i386-apple-darwin17.7.0, built on Oct 27 2018 at 08:53:45 Thu Nov 29 09:22:41 2018 : Debug: Server was built with: Thu Nov 29 09:22:41 2018 : Debug: accounting : yes ... Thu Nov 29 09:22:41 2018 : Debug: developer : yes Thu Nov 29 09:22:41 2018 : Debug: Server core libs: Thu Nov 29 09:22:41 2018 : Debug: freeradius-server : 3.0.18 Thu Nov 29 09:22:41 2018 : Debug: talloc : 2.1.* Thu Nov 29 09:22:41 2018 : Debug: ssl : 1.0.2p release Thu Nov 29 09:22:41 2018 : Debug: Endianness: Thu Nov 29 09:22:41 2018 : Debug: little Thu Nov 29 09:22:41 2018 : Debug: Compilation flags: ... Which is very useful. Alan DeKok.
Hi Alan, thanks. It looks like we're linked to 1.0.2g root@its-edurad-qm:~# freeradius -Xxv Thu Nov 29 15:29:10 2018 : Info: radiusd: FreeRADIUS Version 3.0.17, for host x86_64-pc-linux-gnu Thu Nov 29 15:29:10 2018 : Debug: tls : yes Thu Nov 29 15:29:10 2018 : Debug: freeradius-server : 3.0.17 Thu Nov 29 15:29:10 2018 : Debug: ssl : 1.0.2g release Cheers, Thorsten From: Alan DeKok-2 [via FreeRADIUS] <ml+s1045715n5752788h23@n5.nabble.com> Sent: Thursday, 29 November 2018 15:24 To: Thorsten Fritsch <thorsten.fritsch@unibas.ch> Subject: Re: FreeRadius 3.0.17 - TLS issue On Nov 29, 2018, at 9:19 AM, Thorsten Fritsch <[hidden email]</user/SendEmail.jtp?type=node&node=5752788&i=0>> wrote:
we're running on Ubuntu 16.04.5 LTS. Sorry about the very verbose debug output. I took it with raddebug and didn't know that's very verbose by default. Will take it to heart next time...
Unfortunately freeradius -Xv doesn't show the linked OpenSSL server on our system:
root@its-edurad-qm:~# freeradius -Xv
This is one of the few cases where more is better. Use "freeradius -Xxv", and you'll get output like this: Thu Nov 29 09:22:41 2018 : Info: radiusd: FreeRADIUS Version 3.0.18 (git #f2d93cf), for host i386-apple-darwin17.7.0, built on Oct 27 2018 at 08:53:45 Thu Nov 29 09:22:41 2018 : Debug: Server was built with: Thu Nov 29 09:22:41 2018 : Debug: accounting : yes ... Thu Nov 29 09:22:41 2018 : Debug: developer : yes Thu Nov 29 09:22:41 2018 : Debug: Server core libs: Thu Nov 29 09:22:41 2018 : Debug: freeradius-server : 3.0.18 Thu Nov 29 09:22:41 2018 : Debug: talloc : 2.1.* Thu Nov 29 09:22:41 2018 : Debug: ssl : 1.0.2p release Thu Nov 29 09:22:41 2018 : Debug: Endianness: Thu Nov 29 09:22:41 2018 : Debug: little Thu Nov 29 09:22:41 2018 : Debug: Compilation flags: ... Which is very useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ________________________________ If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/FreeRadius-3-0-17-TLS-issue-tp575276... To unsubscribe from Users, click here<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2740693&code=dGhvcnN0ZW4uZnJpdHNjaEB1bmliYXMuY2h8Mjc0MDY5M3w1ODEyOTcyNzM=>. NAML<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
Thanks Alan will pass on the ball to our Windows guys Thorsten From: Alan DeKok-2 [via FreeRADIUS] <ml+s1045715n5752790h85@n5.nabble.com> Sent: Thursday, 29 November 2018 15:35 To: Thorsten Fritsch <thorsten.fritsch@unibas.ch> Subject: Re: FreeRadius 3.0.17 - TLS issue On Nov 29, 2018, at 9:31 AM, Thorsten Fritsch <[hidden email]</user/SendEmail.jtp?type=node&node=5752790&i=0>> wrote:
thanks. It looks like we're linked to 1.0.2g
Then it should support TLS 1.2. If the Windows 10 boxes don't like it, ask Microsoft for assistance. :( Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ________________________________ If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/FreeRadius-3-0-17-TLS-issue-tp575276... To unsubscribe from Users, click here<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2740693&code=dGhvcnN0ZW4uZnJpdHNjaEB1bmliYXMuY2h8Mjc0MDY5M3w1ODEyOTcyNzM=>. NAML<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Matthew Newton -
Thorsten Fritsch