ERROR: TLS Alert write:fatal:protocol version
Dear freeradius-users, after googling, reading and debugging for about 3 days now, maybe the community is able to help: Since moving our radius to ubuntu 20.0.4 some of our users are not able to authenticate using peap. The error message in radius.log is kind of Mon Jun 28 16:02:17 2021 : ERROR: (370) eap_peap: ERROR: TLS Alert write:fatal:protocol version Mon Jun 28 16:02:17 2021 : Error: tls: TLS_accept: Error in error Mon Jun 28 16:02:17 2021 : Auth: (370) Login incorrect (eap_peap: TLS Alert write:fatal:protocol version): [eduroam@uni-koblenz.de] (from client Unifi AccessPoints port 0 cli ... Most of these client seem to be very old (macOS El Capitan, iOS 10.x) but not all of them. My suggestion is, that these clients try to use TLS 1.0. So I excerpted a debug log with freeradius -X (attached). Indeed I can see (197) eap_peap: <<< recv TLS 1.3 [length 0062] (197) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version So I changed the following lines in mods-enables/eap: # disable_tlsv1_2 = no # disable_tlsv1_1 = yes # disable_tlsv1 = yes tls_min_version = "1.0" tls_max_version = "1.2" Restarted radius, but no change at all. Any help is greatly appreciated! Thanks in advance! -- Kind regards Christoph _________________________________________ Uni Koblenz, Computing Centre, Office A 022 Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311
These clients should upgrade the pc/os. I would say, Dont make "there" outdated computers your problem by lowering your security. Why waist your time om that.
-----Oorspronkelijk bericht----- Van: Freeradius-Users [mailto:freeradius-users-bounces+belle=bazuin.nl@lists.freerad ius.org] Namens Christoph Litauer Verzonden: donderdag 1 juli 2021 12:08 Aan: Freeradius-Users@lists.freeradius.org Onderwerp: ERROR: TLS Alert write:fatal:protocol version
Dear freeradius-users,
after googling, reading and debugging for about 3 days now, maybe the community is able to help: Since moving our radius to ubuntu 20.0.4 some of our users are not able to authenticate using peap. The error message in radius.log is kind of
Mon Jun 28 16:02:17 2021 : ERROR: (370) eap_peap: ERROR: TLS Alert write:fatal:protocol version Mon Jun 28 16:02:17 2021 : Error: tls: TLS_accept: Error in error Mon Jun 28 16:02:17 2021 : Auth: (370) Login incorrect (eap_peap: TLS Alert write:fatal:protocol version): [eduroam@uni-koblenz.de] (from client Unifi AccessPoints port 0 cli ...
Most of these client seem to be very old (macOS El Capitan, iOS 10.x) but not all of them. My suggestion is, that these clients try to use TLS 1.0. So I excerpted a debug log with freeradius -X (attached). Indeed I can see
(197) eap_peap: <<< recv TLS 1.3 [length 0062] (197) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
So I changed the following lines in mods-enables/eap: # disable_tlsv1_2 = no # disable_tlsv1_1 = yes # disable_tlsv1 = yes tls_min_version = "1.0" tls_max_version = "1.2"
Restarted radius, but no change at all. Any help is greatly appreciated! Thanks in advance!
-- Kind regards Christoph _________________________________________ Uni Koblenz, Computing Centre, Office A 022 Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for your response. You're right! But not all of the failing clients have an outdated os. At least one of them used an up-to-date Android mobile ...
Am 01.07.2021 um 12:10 schrieb L.P.H. van Belle via Freeradius-Users <freeradius-users@lists.freeradius.org>:
These clients should upgrade the pc/os.
I would say, Dont make "there" outdated computers your problem by lowering your security. Why waist your time om that.
-----Oorspronkelijk bericht----- Van: Freeradius-Users [mailto:freeradius-users-bounces+belle=bazuin.nl@lists.freerad ius.org] Namens Christoph Litauer Verzonden: donderdag 1 juli 2021 12:08 Aan: Freeradius-Users@lists.freeradius.org Onderwerp: ERROR: TLS Alert write:fatal:protocol version
Dear freeradius-users,
after googling, reading and debugging for about 3 days now, maybe the community is able to help: Since moving our radius to ubuntu 20.0.4 some of our users are not able to authenticate using peap. The error message in radius.log is kind of
Mon Jun 28 16:02:17 2021 : ERROR: (370) eap_peap: ERROR: TLS Alert write:fatal:protocol version Mon Jun 28 16:02:17 2021 : Error: tls: TLS_accept: Error in error Mon Jun 28 16:02:17 2021 : Auth: (370) Login incorrect (eap_peap: TLS Alert write:fatal:protocol version): [eduroam@uni-koblenz.de] (from client Unifi AccessPoints port 0 cli ...
Most of these client seem to be very old (macOS El Capitan, iOS 10.x) but not all of them. My suggestion is, that these clients try to use TLS 1.0. So I excerpted a debug log with freeradius -X (attached). Indeed I can see
(197) eap_peap: <<< recv TLS 1.3 [length 0062] (197) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
So I changed the following lines in mods-enables/eap: # disable_tlsv1_2 = no # disable_tlsv1_1 = yes # disable_tlsv1 = yes tls_min_version = "1.0" tls_max_version = "1.2"
Restarted radius, but no change at all. Any help is greatly appreciated! Thanks in advance!
-- Kind regards Christoph _________________________________________ Uni Koblenz, Computing Centre, Office A 022 Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Freundliche Grüße Christoph Litauer _________________________________________ Uni Koblenz, Rechenzentrum, Raum A 022 Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311
Ask that user (I assume you talk about eduroam) to use the new "geteduroam" app: https://play.google.com/store/apps/details?id=app.eduroam.geteduroam&hl=en&g... Maybe he got some old configuration on his mobile that enforces TLS 1.0 (not sure if that is possible though). HINWEIS Ich habe eine neue E-Mailadresse: Patrick.oberli@ost.ch Freundliche Grüsse ICT - IT-Infrastructure Netzwerk- und Multimediateam Patrick Oberli Tel direkt: +41 58 257 4958 Email: patrick.oberli@ost.ch OST – Ostschweizer Fachhochschule ICT Information & Communication Technology | Oberseestrasse 10 | 8640 Rapperswil | Switzerland | https://www.ost.ch OST – Ostschweizer Fachhochschule ist der Zusammenschluss aus HSR Rapperswil, FHS St.Gallen und NTB Buchs. -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+patrick.oberli=ost.ch@lists.freeradius.org> On Behalf Of Christoph Litauer Sent: Donnerstag, 1. Juli 2021 12:14 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: ERROR: TLS Alert write:fatal:protocol version Thanks for your response. You're right! But not all of the failing clients have an outdated os. At least one of them used an up-to-date Android mobile ...
Am 01.07.2021 um 12:10 schrieb L.P.H. van Belle via Freeradius-Users <freeradius-users@lists.freeradius.org>:
These clients should upgrade the pc/os.
I would say, Dont make "there" outdated computers your problem by lowering your security. Why waist your time om that.
-----Oorspronkelijk bericht----- Van: Freeradius-Users [mailto:freeradius-users-bounces+belle=bazuin.nl@lists.freerad ius.org] Namens Christoph Litauer Verzonden: donderdag 1 juli 2021 12:08 Aan: Freeradius-Users@lists.freeradius.org Onderwerp: ERROR: TLS Alert write:fatal:protocol version
Dear freeradius-users,
after googling, reading and debugging for about 3 days now, maybe the community is able to help: Since moving our radius to ubuntu 20.0.4 some of our users are not able to authenticate using peap. The error message in radius.log is kind of
Mon Jun 28 16:02:17 2021 : ERROR: (370) eap_peap: ERROR: TLS Alert write:fatal:protocol version Mon Jun 28 16:02:17 2021 : Error: tls: TLS_accept: Error in error Mon Jun 28 16:02:17 2021 : Auth: (370) Login incorrect (eap_peap: TLS Alert write:fatal:protocol version): [eduroam@uni-koblenz.de] (from client Unifi AccessPoints port 0 cli ...
Most of these client seem to be very old (macOS El Capitan, iOS 10.x) but not all of them. My suggestion is, that these clients try to use TLS 1.0. So I excerpted a debug log with freeradius -X (attached). Indeed I can see
(197) eap_peap: <<< recv TLS 1.3 [length 0062] (197) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
So I changed the following lines in mods-enables/eap: # disable_tlsv1_2 = no # disable_tlsv1_1 = yes # disable_tlsv1 = yes tls_min_version = "1.0" tls_max_version = "1.2"
Restarted radius, but no change at all. Any help is greatly appreciated! Thanks in advance!
-- Kind regards Christoph _________________________________________ Uni Koblenz, Computing Centre, Office A 022 Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Freundliche Grüße Christoph Litauer _________________________________________ Uni Koblenz, Rechenzentrum, Raum A 022 Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi, look at your logs: (197) eap_peap: <<< recv TLS 1.3 [length 0062] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ (197) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version now look at your config tls_min_version = "1.0" tls_max_version = "1.2" ^^^^^^^^^^^^^^^^^^ is that the hint you needed? alan
Thanks Alan, already tried to set tls_max_version to 1.3 (not recommended), no change.
Am 01.07.2021 um 12:52 schrieb Alan Buxey <alan.buxey@gmail.com>:
hi,
look at your logs:
(197) eap_peap: <<< recv TLS 1.3 [length 0062] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(197) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
now look at your config
tls_min_version = "1.0" tls_max_version = "1.2" ^^^^^^^^^^^^^^^^^^
is that the hint you needed?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Freundliche Grüße Christoph Litauer _________________________________________ Uni Koblenz, Rechenzentrum, Raum A 022 Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311
Set cipher_list = "DEFAULT@SECLEVEL=1" to fix this. Jochem IOLAN B.V. • Mon Plaisir 26 • 4879 AN Etten-Leur • The Netherlands T +31 (0)76 50 26 100 • F +31 (0)76 50 26 199 E iolan@iolan.com • I http://www.iolan.com/ De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents here in and notify the sender immediately by return e-mail. -----Oorspronkelijk bericht----- Van: Freeradius-Users [mailto:freeradius-users-bounces+j.sparla=iolan.com@lists.freeradius.org] Namens Christoph Litauer Verzonden: donderdag 1 juli 2021 13:24 Aan: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>; Alan Buxey <alan.buxey@gmail.com> Onderwerp: Re: ERROR: TLS Alert write:fatal:protocol version Thanks Alan, already tried to set tls_max_version to 1.3 (not recommended), no change.
Am 01.07.2021 um 12:52 schrieb Alan Buxey <alan.buxey@gmail.com>:
hi,
look at your logs:
(197) eap_peap: <<< recv TLS 1.3 [length 0062] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(197) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
now look at your config
tls_min_version = "1.0" tls_max_version = "1.2" ^^^^^^^^^^^^^^^^^^
is that the hint you needed?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Freundliche Grüße Christoph Litauer _________________________________________ Uni Koblenz, Rechenzentrum, Raum A 022 Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks a lot, that helped!
Am 01.07.2021 um 14:14 schrieb Jochem Sparla <J.Sparla@iolan.com>:
Set
cipher_list = "DEFAULT@SECLEVEL=1"
to fix this.
Jochem
IOLAN B.V. • Mon Plaisir 26 • 4879 AN Etten-Leur • The Netherlands T +31 (0)76 50 26 100 • F +31 (0)76 50 26 199 E iolan@iolan.com • I http://www.iolan.com/
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents here in and notify the sender immediately by return e-mail.
-----Oorspronkelijk bericht----- Van: Freeradius-Users [mailto:freeradius-users-bounces+j.sparla=iolan.com@lists.freeradius.org] Namens Christoph Litauer Verzonden: donderdag 1 juli 2021 13:24 Aan: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>; Alan Buxey <alan.buxey@gmail.com> Onderwerp: Re: ERROR: TLS Alert write:fatal:protocol version
Thanks Alan,
already tried to set tls_max_version to 1.3 (not recommended), no change.
Am 01.07.2021 um 12:52 schrieb Alan Buxey <alan.buxey@gmail.com>:
hi,
look at your logs:
(197) eap_peap: <<< recv TLS 1.3 [length 0062] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(197) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
now look at your config
tls_min_version = "1.0" tls_max_version = "1.2" ^^^^^^^^^^^^^^^^^^
is that the hint you needed?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Freundliche Grüße Christoph Litauer _________________________________________ Uni Koblenz, Rechenzentrum, Raum A 022 Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Freundliche Grüße Christoph Litauer _________________________________________ Uni Koblenz, Rechenzentrum, Raum A 022 Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311
On Jul 1, 2021, at 8:14 AM, Jochem Sparla <J.Sparla@iolan.com> wrote:
Set
cipher_list = "DEFAULT@SECLEVEL=1"
to fix this.
Yeah, that's the solution. Newer versions of OpenSSL disallow TLS 1.0, unless you say "pretty please". You can set "tls_min_version = 1.0" and NOTHING in OpenSSL will tell you that this setting is ignored. In addition, the error messages produced by OpenSSL are incredibly opaque and useless. We put extensive comments into recent versions of the server to document this, and explain it. We added more debug messages to warn people about issues like this. Yet distributions are still shipping versions of FreeRADIUS which are (in some cases) many years old. They are actively preventing people from getting updated versions, with updated documentation, and updated fixes. This is one main reason we suggest that everyone use our package repositories at http://packages.networkradius.com The packages are provided as a service to the community. Not just because it's marketing. But because it helps people, and avoid frustrations like this. Alan DeKok.
participants (6)
-
Alan Buxey -
Alan DeKok -
Christoph Litauer -
Jochem Sparla -
L.P.H. van Belle -
Patrick Oberli