Authentication problems with some devices: TLS version too low

Lars Veldscholte lars at tuxplace.nl
Fri Sep 1 19:16:51 CEST 2017


Hello everyone,

I have problems with authenticating some clients using PEAP-MSCHAP. I've 
seen two (unrelated) devices having this issue so far: an Android phone 
and a Windows 7 PC. Other clients do not have this problem.

The debug output is:

(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 99 bytes
(2) eap_peap: Got complete TLS record (99 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: <<< recv TLS 1.2  [length 005e]
(2) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
(2) eap_peap: ERROR: TLS Alert write:fatal:protocol version
tls: TLS_accept: Error in error
(2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): 
error:1417D18C:SSL routines:tls_process_client_hello:version too low
(2) eap_peap: ERROR: System call (I/O) error (-1)
(2) eap_peap: ERROR: TLS receive handshake failed during operation
(2) eap_peap: ERROR: [eaptls process] = fail
(2) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module 
failed
(2) eap: Sending EAP Failure (code 4) ID 230 length 4
(2) eap: Failed in EAP select
(2)     [eap] = invalid
(2)   } # authenticate = invalid
(2) Failed to authenticate the user

I'm not sure if I'm interpreting this correctly, but it seems that the 
client is trying to talk in TLSv1.2 while FreeRADIUS doesn't support that?

I don't know what started this problem. PEAP always worked in the past, 
until now. The only thing I can think of is that I've recently generated 
new certificates (old ones were expired). There has also been a 
FreeRADIUS update (just regular Debian updates, I'm on 3.0.15 now). 
Could that be related?

Thanks in advance for your help,

Lars



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170901/f3608be1/attachment-0001.sig>


More information about the Freeradius-Users mailing list