EAP fails on TLS protocol version with Windows 7, works fine with Windows 10
L.P.H. van Belle
belle at bazuin.nl
Fri Nov 20 16:36:56 CET 2020
Google KB3140245
and/or
https://manage.accuwebhosting.com/knowledgebase/3008/How-do-I-enable-TLS-1-2-on-Windows-7.html
might help you.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Freeradius-Users
> [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
> ius.org] Namens Jochem Sparla
> Verzonden: vrijdag 20 november 2020 16:33
> Aan: freeradius-users at lists.freeradius.org
> Onderwerp: EAP fails on TLS protocol version with Windows 7,
> works fine with Windows 10
>
> I have a setup with a Windows 7 and Windows 10 computer
> authenticating with FreeRADIUS 3.0.20 running on Ubuntu 20.04.
>
> The Windows 7 client fails due to a TLS protocol version error:
> (2) eap_peap: TLS_accept: before SSL initialization
> (2) eap_peap: <<< recv TLS 1.3 [length 0062]
> (2) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal
> protocol_version
> (2) eap_peap: ERROR: TLS Alert write:fatal:protocol version
> tls: TLS_accept: Error in error
> (2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read):
> error:14209102:SSL
> routines:tls_early_post_process_client_hello:unsupported protocol
> (2) eap_peap: ERROR: System call (I/O) error (-1)
> (2) eap_peap: ERROR: TLS receive handshake failed during operation
> (2) eap_peap: ERROR: [eaptls process] = fail
> (2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP
> sub-module failed
> (2) eap: Sending EAP Failure (code 4) ID 3 length 4
> (2) eap: Failed in EAP select
> (2) [eap] = invalid
> (2) } # authenticate = invalid
> (2) Failed to authenticate the user
> (2) Using Post-Auth-Type Reject
>
>
> The Windows 10 client, with the same settings on both the
> client, switch and the same RADIUS server, works fine:
> (2) eap_peap: TLS_accept: before SSL initialization
> (2) eap_peap: <<< recv TLS 1.3 [length 0097]
> (2) eap_peap: TLS_accept: SSLv3/TLS read client hello
> (2) eap_peap: >>> send TLS 1.2 [length 003d]
> (2) eap_peap: TLS_accept: SSLv3/TLS write server hello
> (2) eap_peap: >>> send TLS 1.2 [length 0308]
> (2) eap_peap: TLS_accept: SSLv3/TLS write certificate
> (2) eap_peap: >>> send TLS 1.2 [length 014d]
> (2) eap_peap: TLS_accept: SSLv3/TLS write key exchange
> (2) eap_peap: >>> send TLS 1.2 [length 0004]
> (2) eap_peap: TLS_accept: SSLv3/TLS write server done
> (2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS
> write server done
> (2) eap_peap: TLS - In Handshake Phase
> (2) eap_peap: TLS - got 1194 bytes of data
> (2) eap_peap: [eaptls process] = handled
> (2) eap: Sending EAP Request (code 1) ID 4 length 1004
> (2) eap: EAP session adding &reply:State = 0x30a058ae32a441c4
> (2) [eap] = handled
> (2) } # authenticate = handled
> (2) Using Post-Auth-Type Challenge
>
>
> TLS is configured in mods-enabled/eap:
> tls_max_version = "1.2"
> tls_min_version = "1.0"
>
>
> I have been breaking my head and searching this for multiple days.
> The problem does not seem to be in the lack of TLS 1.3
> support in FreeRADIUS/OpenSSL1.1.1f, because the Win10 client
> works fine. It starts by asking for TLS 1.3, but gets set to
> TLS 1.2 and works.
> I seems my standard Windows 7 client (fully up to date) sends
> a bad TLS message, but I have no clue where to look for a solution.
>
>
> Thanks in advance, Jochem
>
>
> IOLAN B.V. • Mon Plaisir 26 • 4879 AN Etten-Leur • The Netherlands
> T +31 (0)76 50 26 100 • F +31 (0)76 50 26 199
> E iolan at iolan.com • I http://www.iolan.com/
>
> De informatie opgenomen in dit bericht kan vertrouwelijk zijn
> en is uitsluitend
> bestemd voor de geadresseerde. Indien u dit bericht onterecht
> ontvangt, wordt u
> verzocht de inhoud niet te gebruiken en de afzender direct te
> informeren door
> het bericht te retourneren.
> The information contained in this message may be confidential and is
> intended to be exclusively for the addressee. Should you
> receive this message
> unintentionally, please do not use the contents here in and
> notify the sender
> immediately by return e-mail.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list