Authentication problems with some devices: TLS version too low
aland at deployingradius.com
Fri Sep 1 20:20:07 CEST 2017
On Sep 1, 2017, at 1:16 PM, Lars Veldscholte <lars at tuxplace.nl> wrote:
> I have problems with authenticating some clients using PEAP-MSCHAP. I've seen two (unrelated) devices having this issue so far: an Android phone and a Windows 7 PC. Other clients do not have this problem.
Vendors are starting to move to TLS 1.2 everywhere.
> (2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417D18C:SSL routines:tls_process_client_hello:version too low
> (2) eap_peap: ERROR: System call (I/O) error (-1)
> (2) eap_peap: ERROR: TLS receive handshake failed during operation
> (2) eap_peap: ERROR: [eaptls process] = fail
> (2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
> (2) eap: Sending EAP Failure (code 4) ID 230 length 4
> (2) eap: Failed in EAP select
> (2) [eap] = invalid
> (2) } # authenticate = invalid
> (2) Failed to authenticate the user
> I'm not sure if I'm interpreting this correctly, but it seems that the client is trying to talk in TLSv1.2 while FreeRADIUS doesn't support that?
Pretty much. They *should* be able to negotiate a compatible TLS version, if your local version of OpenSSL supports TLS 1.2
> I don't know what started this problem. PEAP always worked in the past, until now.
The clients upgraded, and now only allow TLS 1.2.
> The only thing I can think of is that I've recently generated new certificates (old ones were expired). There has also been a FreeRADIUS update (just regular Debian updates, I'm on 3.0.15 now). Could that be related?
You will need to update OpenSSL to a version which supports TLS 1.2. And then re-build and re-install FreeRADIUS.
Given that *everything* depends on OpenSSL, you're probably better off just installing a new VM with a recent version of Debian. Then, copy your current configuration over to the new machine.
More information about the Freeradius-Users