[ttls] <<< Unknown TLS version [length 0002]
gabriel_skupien
gabriel_skupien at o2.pl
Wed May 20 15:50:30 CEST 2015
Problem with TTLS setup. EAP clients negotiate TLSv1.2 but FR reports "Unknown TLS version". Any idea?
########################
freeradius: FreeRADIUS Version 2.2.7, for host x86_64-pc-linux-gnu, built on May 20 2015 at 15:09:29
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
########################
OpenSSL 1.0.1f 6 Jan 2014
########################
rad_recv: Access-Request packet from host 127.0.0.1 port 41457, id=246, length=163
User-Name = "xxx"
NAS-Port-Type = Virtual
Service-Type = Framed-User
NAS-Port = 11
NAS-Port-Id = "ikev1_iPhone"
NAS-IP-Address = 55.55.55.55
Called-Station-Id = "55.55.55.55[500]"
Calling-Station-Id = "10.8.0.41[500]"
EAP-Message = 0x02000014016761627269656c2e736b757069656e
NAS-Identifier = "xxx"
Message-Authenticator = 0x3081d2a8deb390730c6a4549a473d550
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "xxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 20
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 246 to 127.0.0.1 port 41457
EAP-Message = 0x010100061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xabbe8980abbf9c62469ee671636876ab
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 41457, id=247, length=366
User-Name = "xxx"
NAS-Port-Type = Virtual
Service-Type = Framed-User
NAS-Port = 11
NAS-Port-Id = "ikev1_iPhone"
NAS-IP-Address = 55.55.55.55
Called-Station-Id = "55.55.55.55[500]"
Calling-Station-Id = "10.8.0.41[500]"
EAP-Message = 0x020100cd1580000000c316030300be010000ba0303555c8c48a01b005b0cd652b9a53aa87fbbaa396563f547fd22c3c9c2484d36a4000048c009c023c00ac024c02bc02cc013c027c014c028c02fc030003300670039006b009e009f004500be008800c40016002f003c0035003d009c009d004100ba008400c0c008c012000a01000049000d001600140403050306030203040105010601030102010101000a000c000a00170018001900150013000b000201000000001500130000106d6f6f6e2e696e742e636369672e706c
NAS-Identifier = "xxx"
State = 0xabbe8980abbf9c62469ee671636876ab
Message-Authenticator = 0x8753091a175404cac7110ea5a622c82a
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "xxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 205
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 195
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< Unknown TLS version [length 00be]
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] >>> Unknown TLS version [length 0034]
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] >>> Unknown TLS version [length 02c6]
[ttls] TLS_accept: SSLv3 write certificate A
[ttls] >>> Unknown TLS version [length 014d]
[ttls] TLS_accept: SSLv3 write key exchange A
[ttls] >>> Unknown TLS version [length 0004]
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A
[ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 247 to 127.0.0.1 port 41457
EAP-Message = 0x0102040015c00000045f16030300340200003003039133f78dbb4a2fd7a086f78271b18d472b8e3f9a24cf88c85fefa041a396614b00c013000008000b00040300010216030302c60b0002c20002bf0002bc308202b8308201a0a003020102020900f25943f5edd1f259300d06092a864886f70d01010b0500301431123010060355040313096c6f63616c686f7374301e170d3135303531353133313833365a170d3235303531323133313833365a301431123010060355040313096c6f63616c686f737430820122300d06092a864886f70d01010105000382010f003082010a0282010100d60d70fda5d3dc73b6f490dde396e249b5f4ed9ab84209
EAP-Message = 0x65a696f9147657575a9c96ca528986c48cbcb8a180d58d0ab3ca6ec6a645475be6a4bc8d4f653e0d674f5c650704e10ad0498bc553b4b86ed39507ec8c7ff843e3c95ab7a6ae1318edd8d21c4e8875f38aef3d5148306f5f35c8c27f032a541a4d71ec9d02b70502241bb90bbb60d476d33263924f5f0e256f283617cd9780a9fb7235e6f721ab5274028dd8608c5b1b981af461a0de1cc24231de37b4f8fdeea51f0704fb69d7d15b08d1696245a9ec41ef1217886079fb904b69a94a18850f4466ad3a02b93b8f31513380bff48b14fb078107bf7315a24ddd5c5291e2ccefc90e5fb7843736f94f0203010001a30d300b30090603551d1304023000
EAP-Message = 0x300d06092a864886f70d01010b050003820101008fd5f2ec9307ad98a5dbf620f21b24f98cf32ed1a453bcf22085e9692fb5977e35ff5f0f6aefadc54842a27aa218781437dbaa12faed330c7cc83b03050fba03df50b7fd0ce055ee9054eb68419972d23bbc3db135fa1b82cfe35d643a08604efea8e7c172d7f6bb36952dac4b7aeb2487348dec01e8db8439c148d93cfcda6f71cecf8fa95608a18878223271e6d3968c9ebc5a874a35a6daefd538f869cfb34da300dc28d66f241139effcb13fc1020616b089b2eeffc3f0c5fd91a8f6fa42c6d3e4af83a16baf71070ed626361dac26a24164e975c4f183e7ecde28c737019b90c0eec445dc5c76
EAP-Message = 0xae8c81dd943c66e928762e55622a0b19d7c9f0ddb7ffff160303014d0c00014903001741048e7fe751552742003b186c7c3534cd294315fb4afb7d1191e3923cd601b69b0b683e76c3fc3a3dfb78c8c9d375e935410315b7952a3f6fda178961e26091a38b040101004f0e161de68fcca962694554b02d8309d071adf0c2c64bbb85621ed5ef227ba40ce6b4c1e2d3a02d43c18a4f79ded7db78f53d1e2c44d51b083a1d102aead8c8690e1d576a54ce475945dc1a3e8ce9e9f9b551cf5c05ec60dc97e00dc08607a149cf4b31b346ba259d0bcfd572922b1c6106f065ac2f0d800174716e7b82d157bcfa0387c21499a2e02ca2ac443474ca0a87198c
EAP-Message = 0x4e7414ea4ce39155cc8a4031
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xabbe8980aabc9c62469ee671636876ab
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 41457, id=248, length=178
User-Name = "xxx"
NAS-Port-Type = Virtual
Service-Type = Framed-User
NAS-Port = 11
NAS-Port-Id = "ikev1_iPhone"
NAS-IP-Address = 55.55.55.55
Called-Station-Id = "55.55.55.55[500]"
Calling-Station-Id = "10.8.0.41[500]"
EAP-Message = 0x0202001115800000000715030300020231
NAS-Identifier = "xxx"
State = 0xabbe8980aabc9c62469ee671636876ab
Message-Authenticator = 0xb28272a72ca2d41818e008e8659849f9
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "xxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 17
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 7
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< Unknown TLS version [length 0002]
TLS Alert read:fatal:access denied
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[ttls] eaptls_process returned 4
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect (TLS Alert read:fatal:access denied): [xxx/<via Auth-Type = EAP>] (from client localhost port 11 cli 10.8.0.41[500])
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> xxx
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 248 to 127.0.0.1 port 41457
EAP-Message = 0x04020004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 246 with timestamp +6
Cleaning up request 1 ID 247 with timestamp +6
Waking up in 1.0 seconds.
Gabriel
More information about the Freeradius-Users
mailing list