help seeing more debugging EAP-TTLS handshake

A.L.M.Buxey at A.L.M.Buxey at
Wed Sep 23 20:44:41 CEST 2015


> I am trying to debug an EAP-TTLS handshake problem between FreeRADIUS 2.2.4
> with OpenSSL 1.0.1f and Mac OS X 10.10.5 and 10.9.5.  The Macs are using

old. upgrade your FR

> b) FreeRADIUS/OpenSSL and these versions of Mac OS X can all do TLS 1.2.
> Does the text "TLS 1.0 Handshake" in the log really mean that it is only
> using TLS 1.0 instead of TLS 1.2?

yes. FR 2.2.4 doesnt do TLS 1.2  - 2.2.9 does

> c) There is a message in the log "TLS_accept: failed in SSLv3 read client
> certificate A". Does this mean that there was a client certificate
> presented by the client? (there shouldn't be a client cert at all)

how is the OSX device configured?

> d) Does anyone have any other suggestions to make this work? I already
> tried setting the cipher_list to well used ciphers that the Macs generally
> like ('AES+aRSA') and got the same result. (The trace below is with the
> default cipher_list).

works with DEFAULT. unless you want to start playing client compatibility issue
and need to remove eg DH methods or DES methods from the list I wouldnt touch it
(that particular combo only allows TLS1.2 and a few SSLv3 methods

>                         dh_file = ${certdir}/dh

how big is that dh key?   must be 1024 or bigger

openssl dhparam -in dh -text -noout

>                 ttls {
>                         default_eap_type = md5

md5? really?  I'm sure you want that to be mschapv2 for your systems.  dont think OSX
will renegotiate.


More information about the Freeradius-Users mailing list