TLS 1.3 for PEAP?

Doug Wussler doug.wussler at fsu.edu
Tue Jul 9 15:57:03 CEST 2019 

The only case I know of where a client has attempted to negotiate TLS 1.3 (for peap) is an Ubuntu 18.04 client
running OpenSSL 1.1.1 and it fails during TLS negotiation with our FreeRADIUS server which is v3.0.17 on RHEL
7.6 with OpenSSL 1.1.1c.

Do we know with any certainty whether this is a problem with OpenSSL, FreeRADIUS or something else with
the peers?  I can resolve the problem by setting “tls_max_version = ‘1.2’” but would like to see the negotiation
for 1.3 succeed.

The failure is early, in the request immediately following the EAP Identity.  Here is the relevant debug info.


(126) fsu-eap: Calling submodule eap_peap to process data

(126) eap_peap: Continuing EAP-TLS

(126) eap_peap: Peer sent flags --L

(126) eap_peap: Peer indicated complete TLS record size will be 289 bytes

(126) eap_peap: Got complete TLS record (289 bytes)

(126) eap_peap: [eaptls verify] = length included

(126) eap_peap: (other): before SSL initialization

(126) eap_peap: TLS_accept: before SSL initialization

Ignoring cbtls_msg call with pseudo content type 256, version 0

(126) eap_peap: TLS_accept: before SSL initialization

(126) eap_peap: <<< recv TLS 1.3  [length 011c]

(126) eap_peap: TLS_accept: SSLv3/TLS read client hello

Ignoring cbtls_msg call with pseudo content type 256, version 0

(126) eap_peap: >>> send TLS 1.3  [length 0058]

(126) eap_peap: TLS_accept: SSLv3/TLS write server hello

Ignoring cbtls_msg call with pseudo content type 256, version 0

(126) eap_peap: >>> send TLS 1.3  [length 0001]

(126) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec

(126) eap_peap: TLS_accept: TLSv1.3 early data

(126) eap_peap: TLS_accept: Need to read more data: TLSv1.3 early data

(126) eap_peap: TLS - In Handshake Phase

(126) eap_peap: TLS - Failed getting session

(126) eap_peap: TLS receive handshake failed during operation

(126) eap_peap: [eaptls process] = fail

(126) fsu-eap: Failed continuing EAP PEAP (25) session.  EAP sub-module failed

(126) fsu-eap: Sending EAP Failure (code 4) ID 2 length 4

(126) fsu-eap: Failed in EAP select

(126)     modsingle[authenticate]: returned from fsu-eap (rlm_eap)

(126)     [fsu-eap] = invalid

(126)   } # Auth-Type fsu-eap = invalid

(126) Failed to authenticate the user

(126) Using Post-Auth-Type Reject

Doug Wussler
Florida State University

More information about the Freeradius-Users mailing list