Reject for unknown TLS version
Deploying EAP-TLS, I've got the CA and certificate configured on the server, and the client-side certificate on the client. But I'm getting a "Unknown TLS version [length 0002]" message. Debug output below. Following a previous thread (http://freeradius.1045715.n5.nabble.com/ttls-lt-lt-lt-Unknown-TLS-version-le...), I've confirmed that FreeRADIUS is built on a version of OpenSSL that support TLS 1.2. In wireshark, I see the Server Hello advertising support for TLS 1.2. I'm also seeing an exchange of four access-request / access-challenge before the reject is finally sent. Is there anything else that could be causing this message? Is the "[length 0002]" referring to only have two bytes to parse? Is some of the transaction getting lost someplace? To be fair, we have FreeRADIUS deployed on RHEL6, using the RedHat-supplied packages. So far, we've been happy with the stability this provides, but realize that FreeRADIUS 2.2.6 is way outdated. My suspicion is this is due to a misconfiguration somewhere on my end, but will test a newer version of FreeRADIUS. Thanks Norman ======== rad_recv: Access-Request packet from host 10.100.136.139 port 58966, id=85, length=256 User-Name = "wnelto@wm.edu" NAS-Identifier = "AP-Jones14Hallway" Called-Station-Id = "C4-13-E2-03-28-A7:eduroam-tls" AH-Vlan-Id = 0 AH-UserProfile-Id = 1100 Acct-Multi-Session-Id = "696D03370B67F9C2" Service-Type = Framed-User NAS-Port = 0 Calling-Station-Id = "78-4F-43-51-71-D2" Connect-Info = "11ac" Acct-Session-Id = "8C5E9DF056A740DB" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027076 WLAN-AKM-Suite = 1027073 NAS-IP-Address = 10.100.136.139 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1500 EAP-Message = 0x02c7001201776e656c746f40776d2e656475 Message-Authenticator = 0x89c60964c1782091312827729adc6284 server srv-aerohive-aps-eap-tls { # Executing section authorize from file /etc/raddb/auth-server/sites/aerohive-aps-eap-tls +group authorize { ++[preprocess] = ok [strip_username_prefix] expand: ^campus\\\ -> ^campus\\ strip_username_prefix: Does not match: User-Name = wnelto@wm.edu ++[strip_username_prefix] = ok ++[mschap] = noop [log_aerohive_inbound] expand: AERO [IN %{request:Packet-Src-IP-Address}] %{request:Packet-Type}: %{request:Calling-Station-Id} %{request:Called-Station-Id} %{request:User-Name} -> AERO [IN 10.100.136.139] Access-Request: 78-4F-43-51-71-D2 C4-13-E2-03-28-A7:eduroam-tls wnelto@wm.edu ++[log_aerohive_inbound] = ok [eap-aerohive-tls] EAP packet type response id 199 length 18 [eap-aerohive-tls] No EAP Start, assuming it's an on-going EAP conversation ++[eap-aerohive-tls] = updated +} # group authorize = updated Found Auth-Type = eap-aerohive-tls # Executing group from file /etc/raddb/auth-server/sites/aerohive-aps-eap-tls +group eap-aerohive-tls { [eap-aerohive-tls] EAP Identity [eap-aerohive-tls] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap-aerohive-tls] = handled ++? if (handled) ? Evaluating (handled) -> TRUE ++? if (handled) -> TRUE ++if (handled) { [log_aerohive_outbound] expand: AERO [OUT %{reply:Packet-Dst-IP-Address}] %{reply:Packet-Type}: %{request:Calling-Station-Id} %{request:Called-Station-Id} %{request:User-Name} -> %{reply:Tunnel-Private-Group-ID} -> AERO [OUT 10.100.136.139] Access-Challenge: 78-4F-43-51-71-D2 C4-13-E2-03-28-A7:eduroam-tls wnelto@wm.edu -> +++[log_aerohive_outbound] = ok +++[handled] = handled ++} # if (handled) = handled +} # group eap-aerohive-tls = handled } # server srv-aerohive-aps-eap-tls Sending Access-Challenge of id 85 to 10.100.136.139 port 58966 EAP-Message = 0x01c800060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6fc2d7b96f0ada3950baa64de4198c71 Finished request 19. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.100.136.139 port 58966, id=86, length=417 User-Name = "wnelto@wm.edu" NAS-Identifier = "AP-Jones14Hallway" Called-Station-Id = "C4-13-E2-03-28-A7:eduroam-tls" AH-Vlan-Id = 0 AH-UserProfile-Id = 1100 Acct-Multi-Session-Id = "696D03370B67F9C2" Service-Type = Framed-User NAS-Port = 0 Calling-Station-Id = "78-4F-43-51-71-D2" Connect-Info = "11ac" Acct-Session-Id = "8C5E9DF056A740DB" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027076 WLAN-AKM-Suite = 1027073 NAS-IP-Address = 10.100.136.139 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1500 EAP-Message = 0x02c800a10d800000009716030100920100008e03035b72d919bf25e5e1c2428293f421b0ca996556c5fa8b19f9897c7a1a5c994c0a00002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000 State = 0x6fc2d7b96f0ada3950baa64de4198c71 Message-Authenticator = 0xdd283334b485d03b1a1227da4db85c86 server srv-aerohive-aps-eap-tls { # Executing section authorize from file /etc/raddb/auth-server/sites/aerohive-aps-eap-tls +group authorize { ++[preprocess] = ok [strip_username_prefix] expand: ^campus\\\ -> ^campus\\ strip_username_prefix: Does not match: User-Name = wnelto@wm.edu ++[strip_username_prefix] = ok ++[mschap] = noop [log_aerohive_inbound] expand: AERO [IN %{request:Packet-Src-IP-Address}] %{request:Packet-Type}: %{request:Calling-Station-Id} %{request:Called-Station-Id} %{request:User-Name} -> AERO [IN 10.100.136.139] Access-Request: 78-4F-43-51-71-D2 C4-13-E2-03-28-A7:eduroam-tls wnelto@wm.edu ++[log_aerohive_inbound] = ok [eap-aerohive-tls] EAP packet type response id 200 length 161 [eap-aerohive-tls] No EAP Start, assuming it's an on-going EAP conversation ++[eap-aerohive-tls] = updated +} # group authorize = updated Found Auth-Type = eap-aerohive-tls # Executing group from file /etc/raddb/auth-server/sites/aerohive-aps-eap-tls +group eap-aerohive-tls { [eap-aerohive-tls] Request found, released from the list [eap-aerohive-tls] EAP/tls [eap-aerohive-tls] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 151 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< Unknown TLS version [length 0092] [tls] TLS_accept: SSLv3 read client hello A [tls] >>> Unknown TLS version [length 0039] [tls] TLS_accept: SSLv3 write server hello A [tls] >>> Unknown TLS version [length 0667] [tls] TLS_accept: SSLv3 write certificate A [tls] >>> Unknown TLS version [length 014d] [tls] TLS_accept: SSLv3 write key exchange A [tls] >>> Unknown TLS version [length 00f4] [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap-aerohive-tls] = handled ++? if (handled) ? Evaluating (handled) -> TRUE ++? if (handled) -> TRUE ++if (handled) { [log_aerohive_outbound] expand: AERO [OUT %{reply:Packet-Dst-IP-Address}] %{reply:Packet-Type}: %{request:Calling-Station-Id} %{request:Called-Station-Id} %{request:User-Name} -> %{reply:Tunnel-Private-Group-ID} -> AERO [OUT 10.100.136.139] Access-Challenge: 78-4F-43-51-71-D2 C4-13-E2-03-28-A7:eduroam-tls wnelto@wm.edu -> +++[log_aerohive_outbound] = ok +++[handled] = handled ++} # if (handled) = handled +} # group eap-aerohive-tls = handled } # server srv-aerohive-aps-eap-tls Sending Access-Challenge of id 86 to 10.100.136.139 port 58966 EAP-Message = 0x01c904000dc0000008f516030300390200003503035b72d9197e597f8bc8a618afe30f89ecffd92dff97fc8acae895d7ac1498d4c200c03000000dff01000100000b00040300010216030306670b00066300066000065d3082065930820541a00302010202107e23e2f2c72fa07f91b662af2727e01b300d06092a864886f70d01010b05003076310b3009060355040613025553310b3009060355040813024d493112301006035504071309416e6e204172626f7231123010060355040a1309496e7465726e6574323111300f060355040b1308496e436f6d6d6f6e311f301d06035504031316496e436f6d6d6f6e2052534120536572766572204341 EAP-Message = 0x301e170d3136303230393030303030305a170d3139303230383233353935395a3081b5310b3009060355040613025553311330110603550411130a32333138372d38373935310b3009060355040813025641311530130603550407130c57696c6c69616d7362757267311c301a06035504091313426c6f772048616c6c2c20526f6f6d2031353031283026060355040a131f54686520436f6c6c656765206f662057696c6c69616d20616e64204d617279310b3009060355040b13024954311830160603550403130f776972656c6573732e776d2e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b7f2a EAP-Message = 0x5457ad3bd6fd8fe5a4ad8f00278203819792ce336920bc498078a01a67cd1f3209ab29aa6408360079fdf24c8dc55a0b0dcfb7fb2ac2388707e95bb0addce869229dd675e2a22674b8106acc105752dbf8bb22492d4c435ccf2a5c9092dc906dc896fe7f2c139cbaefa8017fbeb1fd07054d6aa2781f2ae43682f211cba7c336f20c5fe5919e89a68ebcd4f7994ad497abb1ca5a2c70d876e1fb5678c190484afefbe8ca5ecb59bcc2ab81c2dac39b5f1b469d6b72117cabec5bd0c4ef3da8ca20ea1f7d6ed6e7dec9da78abd2489b9d054593ca8eff7d0f8f40fd4b6ddd40f760f0b9b229a3ad57116734dcc9144d0020cf9355ad909e1e0a3db5dd02 EAP-Message = 0x03010001a38202a13082029d301f0603551d230418301680141e05a3778f6c96e25b874ba6b486ac71000ce738301d0603551d0e04160414e221c3b8b5a1ed4f545c740be804648cdc845c34300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d0603551d250416301406082b0601050507030106082b0601050507030230670603551d200460305e3052060c2b06010401ae2301040301013042304006082b06010505070201163468747470733a2f2f7777772e696e636f6d6d6f6e2e6f72672f636572742f7265706f7369746f72792f6370735f73736c2e7064663008060667810c01020230440603551d1f043d303b EAP-Message = 0x3039a037a035863368747470 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6fc2d7b96e0bda3950baa64de4198c71 Finished request 20. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.100.136.139 port 58966, id=87, length=262 User-Name = "wnelto@wm.edu" NAS-Identifier = "AP-Jones14Hallway" Called-Station-Id = "C4-13-E2-03-28-A7:eduroam-tls" AH-Vlan-Id = 0 AH-UserProfile-Id = 1100 Acct-Multi-Session-Id = "696D03370B67F9C2" Service-Type = Framed-User NAS-Port = 0 Calling-Station-Id = "78-4F-43-51-71-D2" Connect-Info = "11ac" Acct-Session-Id = "8C5E9DF056A740DB" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027076 WLAN-AKM-Suite = 1027073 NAS-IP-Address = 10.100.136.139 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1500 EAP-Message = 0x02c900060d00 State = 0x6fc2d7b96e0bda3950baa64de4198c71 Message-Authenticator = 0x66c9255b45835d0d2d54398dc804a0b6 server srv-aerohive-aps-eap-tls { # Executing section authorize from file /etc/raddb/auth-server/sites/aerohive-aps-eap-tls +group authorize { ++[preprocess] = ok [strip_username_prefix] expand: ^campus\\\ -> ^campus\\ strip_username_prefix: Does not match: User-Name = wnelto@wm.edu ++[strip_username_prefix] = ok ++[mschap] = noop [log_aerohive_inbound] expand: AERO [IN %{request:Packet-Src-IP-Address}] %{request:Packet-Type}: %{request:Calling-Station-Id} %{request:Called-Station-Id} %{request:User-Name} -> AERO [IN 10.100.136.139] Access-Request: 78-4F-43-51-71-D2 C4-13-E2-03-28-A7:eduroam-tls wnelto@wm.edu ++[log_aerohive_inbound] = ok [eap-aerohive-tls] EAP packet type response id 201 length 6 [eap-aerohive-tls] No EAP Start, assuming it's an on-going EAP conversation ++[eap-aerohive-tls] = updated +} # group authorize = updated Found Auth-Type = eap-aerohive-tls # Executing group from file /etc/raddb/auth-server/sites/aerohive-aps-eap-tls +group eap-aerohive-tls { [eap-aerohive-tls] Request found, released from the list [eap-aerohive-tls] EAP/tls [eap-aerohive-tls] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap-aerohive-tls] = handled ++? if (handled) ? Evaluating (handled) -> TRUE ++? if (handled) -> TRUE ++if (handled) { [log_aerohive_outbound] expand: AERO [OUT %{reply:Packet-Dst-IP-Address}] %{reply:Packet-Type}: %{request:Calling-Station-Id} %{request:Called-Station-Id} %{request:User-Name} -> %{reply:Tunnel-Private-Group-ID} -> AERO [OUT 10.100.136.139] Access-Challenge: 78-4F-43-51-71-D2 C4-13-E2-03-28-A7:eduroam-tls wnelto@wm.edu -> +++[log_aerohive_outbound] = ok +++[handled] = handled ++} # if (handled) = handled +} # group eap-aerohive-tls = handled } # server srv-aerohive-aps-eap-tls Sending Access-Challenge of id 87 to 10.100.136.139 port 58966 EAP-Message = 0x01ca04000dc0000008f53a2f2f63726c2e696e636f6d6d6f6e2d7273612e6f72672f496e436f6d6d6f6e52534153657276657243412e63726c307506082b0601050507010104693067303e06082b060105050730028632687474703a2f2f6372742e7573657274727573742e636f6d2f496e436f6d6d6f6e52534153657276657243415f322e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d3081f70603551d110481ef3081ec820f776972656c6573732e776d2e656475821761757468312e7361666574792e6e65742e776d2e656475821761757468322e7361666574792e6e65742e776d EAP-Message = 0x2e656475821761757468332e7361666574792e6e65742e776d2e656475821761757468342e7361666574792e6e65742e776d2e6564758219617574686465762e7361666574792e6e65742e776d2e6564758215726164697573312e63616d7075732e776d2e6564758215726164697573322e63616d7075732e776d2e6564758215726164697573332e63616d7075732e776d2e6564758215726164697573342e63616d7075732e776d2e656475300d06092a864886f70d01010b050003820101008a0e6906805755e7771d4007da7cc49081e60831f0170be61b71a9919ffe692638c427069ca1bcc3479d6e76ba03de3cf11934df860be80cf452885b EAP-Message = 0x40c6cd525a6871b33f0fcbcdcf526c5142868b8bc6a60dd745682e84a1caea9ffc3b50e447586d75a06530a4ac2cd44a6e5ad2044e157f4cf83cd603f8b5126f1cd90ebc61483d0a7b6d77d12630e610a7d4afc462cacb7a932f15989bb8a28bf01e2619420d37ce3e9dc4bcf269c2b7966ef9a326af879e0a11b981fc4202999fd3fd0ef1fc6f1201a091e8d895029616ae92eb6fb43615721f270fb7cbaeda1f619684960b55aa016eaaae364be336d7bf0e0c6943734924d5f218ab033185c8dc253a160303014d0c0001490300174104a43ff793877aa3cbe8938ad243c61ba19f3d9f8716e6fabff6279898c7181cdbb2402ec0c27715ed0a0ae3 EAP-Message = 0x592362b8138e143a1617a3f2c98af985ab7fa9f3b904010100b64e0ddac89de21dae049cb7c20d90cb5bc6674450eb8aaba7987a919cdb401cfada8f96fee3f8dd629b67955b60cc4aa1efe7b91a50917d51ac7b056e7ca76aac2ba42f26dfb86df1e6a8ab2de6017a08210b6e9f51c7b07bca6ab9df8b675e88dbb027e13be5fe52acbe48eb3072ff34c762ad66c02217aec74e2dca794b1bc27ed461268466e77135c90628f91bbda6c3a3043097a2d3391f02dbcfb730ef5009acac1352bfb0a8184ce2f0da3b179669c50e9277728a694ff236eed58a1b25e2cf9c2b26be443799c5c25391ef859a33dcae27d83b034e4d597c642835cbb7d8c924 EAP-Message = 0x61afcf995dfc00d54f975473 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6fc2d7b96d08da3950baa64de4198c71 Finished request 21. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.100.136.139 port 58966, id=88, length=262 User-Name = "wnelto@wm.edu" NAS-Identifier = "AP-Jones14Hallway" Called-Station-Id = "C4-13-E2-03-28-A7:eduroam-tls" AH-Vlan-Id = 0 AH-UserProfile-Id = 1100 Acct-Multi-Session-Id = "696D03370B67F9C2" Service-Type = Framed-User NAS-Port = 0 Calling-Station-Id = "78-4F-43-51-71-D2" Connect-Info = "11ac" Acct-Session-Id = "8C5E9DF056A740DB" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027076 WLAN-AKM-Suite = 1027073 NAS-IP-Address = 10.100.136.139 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1500 EAP-Message = 0x02ca00060d00 State = 0x6fc2d7b96d08da3950baa64de4198c71 Message-Authenticator = 0x4853ab54dca98d2730b55492154a5900 server srv-aerohive-aps-eap-tls { # Executing section authorize from file /etc/raddb/auth-server/sites/aerohive-aps-eap-tls +group authorize { ++[preprocess] = ok [strip_username_prefix] expand: ^campus\\\ -> ^campus\\ strip_username_prefix: Does not match: User-Name = wnelto@wm.edu ++[strip_username_prefix] = ok ++[mschap] = noop [log_aerohive_inbound] expand: AERO [IN %{request:Packet-Src-IP-Address}] %{request:Packet-Type}: %{request:Calling-Station-Id} %{request:Called-Station-Id} %{request:User-Name} -> AERO [IN 10.100.136.139] Access-Request: 78-4F-43-51-71-D2 C4-13-E2-03-28-A7:eduroam-tls wnelto@wm.edu ++[log_aerohive_inbound] = ok [eap-aerohive-tls] EAP packet type response id 202 length 6 [eap-aerohive-tls] No EAP Start, assuming it's an on-going EAP conversation ++[eap-aerohive-tls] = updated +} # group authorize = updated Found Auth-Type = eap-aerohive-tls # Executing group from file /etc/raddb/auth-server/sites/aerohive-aps-eap-tls +group eap-aerohive-tls { [eap-aerohive-tls] Request found, released from the list [eap-aerohive-tls] EAP/tls [eap-aerohive-tls] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap-aerohive-tls] = handled ++? if (handled) ? Evaluating (handled) -> TRUE ++? if (handled) -> TRUE ++if (handled) { [log_aerohive_outbound] expand: AERO [OUT %{reply:Packet-Dst-IP-Address}] %{reply:Packet-Type}: %{request:Calling-Station-Id} %{request:Called-Station-Id} %{request:User-Name} -> %{reply:Tunnel-Private-Group-ID} -> AERO [OUT 10.100.136.139] Access-Challenge: 78-4F-43-51-71-D2 C4-13-E2-03-28-A7:eduroam-tls wnelto@wm.edu -> +++[log_aerohive_outbound] = ok +++[handled] = handled ++} # if (handled) = handled +} # group eap-aerohive-tls = handled } # server srv-aerohive-aps-eap-tls Sending Access-Challenge of id 88 to 10.100.136.139 port 58966 EAP-Message = 0x01cb01130d80000008f5f4cbf66cc3d63f418c16b335bf8fc5e216030300f40d0000ec03010240001e06010602060305010502050304010402040303010302030302010202020300c6005d305b31243022060355040a0c1b436f6c6c656765206f662057696c6c69616d20616e64204d6172793133303106035504030c2a436f6c6c656765206f662057696c6c69616d20616e64204d6172792044657669636520526f6f742043410065306331243022060355040a0c1b436f6c6c656765206f662057696c6c69616d20616e64204d617279313b303906035504030c32436f6c6c656765206f662057696c6c69616d20616e64204d6172792044657669 EAP-Message = 0x636520496e7465726d6564696174652043410e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6fc2d7b96c09da3950baa64de4198c71 Finished request 22. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.100.136.139 port 58966, id=89, length=273 User-Name = "wnelto@wm.edu" NAS-Identifier = "AP-Jones14Hallway" Called-Station-Id = "C4-13-E2-03-28-A7:eduroam-tls" AH-Vlan-Id = 0 AH-UserProfile-Id = 1100 Acct-Multi-Session-Id = "696D03370B67F9C2" Service-Type = Framed-User NAS-Port = 0 Calling-Station-Id = "78-4F-43-51-71-D2" Connect-Info = "11ac" Acct-Session-Id = "8C5E9DF056A740DB" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027076 WLAN-AKM-Suite = 1027073 NAS-IP-Address = 10.100.136.139 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1500 EAP-Message = 0x02cb00110d800000000715030300020100 State = 0x6fc2d7b96c09da3950baa64de4198c71 Message-Authenticator = 0x574a16f4a82bcdf900c20574210fde90 server srv-aerohive-aps-eap-tls { # Executing section authorize from file /etc/raddb/auth-server/sites/aerohive-aps-eap-tls +group authorize { ++[preprocess] = ok [strip_username_prefix] expand: ^campus\\\ -> ^campus\\ strip_username_prefix: Does not match: User-Name = wnelto@wm.edu ++[strip_username_prefix] = ok ++[mschap] = noop [log_aerohive_inbound] expand: AERO [IN %{request:Packet-Src-IP-Address}] %{request:Packet-Type}: %{request:Calling-Station-Id} %{request:Called-Station-Id} %{request:User-Name} -> AERO [IN 10.100.136.139] Access-Request: 78-4F-43-51-71-D2 C4-13-E2-03-28-A7:eduroam-tls wnelto@wm.edu ++[log_aerohive_inbound] = ok [eap-aerohive-tls] EAP packet type response id 203 length 17 [eap-aerohive-tls] No EAP Start, assuming it's an on-going EAP conversation ++[eap-aerohive-tls] = updated +} # group authorize = updated Found Auth-Type = eap-aerohive-tls # Executing group from file /etc/raddb/auth-server/sites/aerohive-aps-eap-tls +group eap-aerohive-tls { [eap-aerohive-tls] Request found, released from the list [eap-aerohive-tls] EAP/tls [eap-aerohive-tls] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 7 [tls] Length Included [tls] eaptls_verify returned 11 [tls] <<< Unknown TLS version [length 0002] TLS Alert read:warning:close notify TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap-aerohive-tls] Handler failed in EAP/tls [eap-aerohive-tls] Failed in EAP select ++[eap-aerohive-tls] = invalid +} # group eap-aerohive-tls = invalid Failed to authenticate the user. } # server srv-aerohive-aps-eap-tls Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/auth-server/sites/aerohive-aps-eap-tls +group REJECT { [log_aerohive_outbound] expand: AERO [OUT %{reply:Packet-Dst-IP-Address}] %{reply:Packet-Type}: %{request:Calling-Station-Id} %{request:Called-Station-Id} %{request:User-Name} -> %{reply:Tunnel-Private-Group-ID} -> AERO [OUT 10.100.136.139] Access-Reject: 78-4F-43-51-71-D2 C4-13-E2-03-28-A7:eduroam-tls wnelto@wm.edu -> ++[log_aerohive_outbound] = ok +} # group REJECT = ok Delaying reject of request 23 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 23 Sending Access-Reject of id 89 to 10.100.136.139 port 58966 EAP-Message = 0x04cb0004 Message-Authenticator = 0x00000000000000000000000000000000
On Aug 14, 2018, at 10:34 AM, Norman Elton <normelton@gmail.com> wrote:
Deploying EAP-TLS, I've got the CA and certificate configured on the server, and the client-side certificate on the client. But I'm getting a "Unknown TLS version [length 0002]" message. Debug output below.
You're running v2. I would suggest upgrading.
Is the "[length 0002]" referring to only have two bytes to parse? Is some of the transaction getting lost someplace?
I'm not sure. It's a TLS issue.
To be fair, we have FreeRADIUS deployed on RHEL6, using the RedHat-supplied packages. So far, we've been happy with the stability this provides, but realize that FreeRADIUS 2.2.6 is way outdated.
Yup. You should upgrade to 2.2.10 at least. It also has fixes for TLS 1.2. :) Alan DeKok.
To be fair, we have FreeRADIUS deployed on RHEL6, using the RedHat-supplied packages. So far, we've been happy with the stability this provides, but realize that FreeRADIUS 2.2.6 is way outdated.
Yup. You should upgrade to 2.2.10 at least. It also has fixes for TLS 1.2. :)
For anyone having this problem ... upgrading to FreeRADIUS 3.0.17, and to openssl 1.0.2p appears to have solved the problem. Moving to FR3 is long overdue. It will require some reconfigurations on my part, which will surely prompt more questions. Thanks for the advice so far. Norman On Tue, Aug 14, 2018 at 10:39 AM Alan DeKok <aland@deployingradius.com> wrote:
On Aug 14, 2018, at 10:34 AM, Norman Elton <normelton@gmail.com> wrote:
Deploying EAP-TLS, I've got the CA and certificate configured on the server, and the client-side certificate on the client. But I'm getting a "Unknown TLS version [length 0002]" message. Debug output below.
You're running v2. I would suggest upgrading.
Is the "[length 0002]" referring to only have two bytes to parse? Is some of the transaction getting lost someplace?
I'm not sure. It's a TLS issue.
To be fair, we have FreeRADIUS deployed on RHEL6, using the RedHat-supplied packages. So far, we've been happy with the stability this provides, but realize that FreeRADIUS 2.2.6 is way outdated.
Yup. You should upgrade to 2.2.10 at least. It also has fixes for TLS 1.2. :)
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
For anyone having this problem ... upgrading to FreeRADIUS 3.0.17, and to openssl 1.0.2p appears to have solved the problem.
Moving to FR3 is long overdue. It will require some reconfigurations on my part, which will surely prompt more questions. Thanks for the advice so far.
Just a follow-up to my follow-up, purely for those that run into this issue in the future. The root cause was not FR version related. It appears that my client (Mac OS 10.13.6) terminates the TLS session when it realizes that it does not trust the server-side certificate. FreeRADIUS is barking about the closure of this TLS session. The same issue recurs under FreeRADIUS 3.0.17, albeit with a slightly different output. I finally rooted this out digging through client-side 802.1x logs and discovered a misconfiguration in our onboarding tool. Thanks Norman On Tue, Aug 14, 2018 at 4:10 PM Norman Elton <normelton@gmail.com> wrote:
To be fair, we have FreeRADIUS deployed on RHEL6, using the RedHat-supplied packages. So far, we've been happy with the stability this provides, but realize that FreeRADIUS 2.2.6 is way outdated.
Yup. You should upgrade to 2.2.10 at least. It also has fixes for TLS 1.2. :)
For anyone having this problem ... upgrading to FreeRADIUS 3.0.17, and to openssl 1.0.2p appears to have solved the problem.
Moving to FR3 is long overdue. It will require some reconfigurations on my part, which will surely prompt more questions. Thanks for the advice so far.
Norman On Tue, Aug 14, 2018 at 10:39 AM Alan DeKok <aland@deployingradius.com> wrote:
On Aug 14, 2018, at 10:34 AM, Norman Elton <normelton@gmail.com> wrote:
Deploying EAP-TLS, I've got the CA and certificate configured on the server, and the client-side certificate on the client. But I'm getting a "Unknown TLS version [length 0002]" message. Debug output below.
You're running v2. I would suggest upgrading.
Is the "[length 0002]" referring to only have two bytes to parse? Is some of the transaction getting lost someplace?
I'm not sure. It's a TLS issue.
To be fair, we have FreeRADIUS deployed on RHEL6, using the RedHat-supplied packages. So far, we've been happy with the stability this provides, but realize that FreeRADIUS 2.2.6 is way outdated.
Yup. You should upgrade to 2.2.10 at least. It also has fixes for TLS 1.2. :)
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Norman Elton