mschap configuration problem
Alan DeKok
aland at deployingradius.com
Tue Jul 14 16:17:10 CEST 2020
On Jul 14, 2020, at 8:53 AM, Piviul <piviul at riminilug.it> wrote:
>
>> (30) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0048] (30) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure (30) eap_peap: ERROR: TLS Alert
Windows is doing TLS 1.3. There is no standard yet for EAP with TLS 1.3
Edit mods-available/eap, and set:
tls_max_version = "1.2"
> and on the win7 client:
>>
>> (14) eap_peap: <<< recv TLS 1.2 [length 0002] (14) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
You didn't put the root CA onto the Windows machine.
> Winxp e win7 client both seems to fail during handshake phase; linux didn't. From successfully linux logs I can find:
>> eap_peap: Peer indicated complete TLS record size will be 126
>
> but reading winxp logs I can see:
>> eap_peap: Peer indicated complete TLS record size will be 77 bytes
>
> and win7:
>> eap_peap: Peer indicated complete TLS record size will be 7 bytes
>
>
> 77 or 7 bytes seems to me not to be enought for a TLS record size isn't it? That's the problem?
No. The record sizes depend on all kinds of things. You don't debug a TCP connection by noting that some packets are 64 bytes and others are 200 bytes.
> Any way can anyone please help me to find why win{xp,7} clients can't communicate using EAP-TLS?
The error messages from OpenSSL aren't perfect, but they explain exactly what the issue is.
Alan DeKok.
More information about the Freeradius-Users
mailing list