EAP fails on TLS protocol version with Windows 7, works fine with Windows 10

Jochem Sparla J.Sparla at iolan.com
Mon Nov 23 17:32:23 CET 2020


I checked and enabled TLS 1.1 and 1.2 as described.
With 1.0 + 1.1 + 1.2 enabled, the problem stays the same.

With 1.0 disabled, and 1.1 + 1.2 enabled, the problem changes.
I now get a "WARNING: !! EAP session for state 0x*************** did not finish!".
I searched: this is usually a certificate or MTU problem.

I do not use certificates at the moment. In Windows configuration 'check server certificate' is not checked.
I changed the MTU of the client from 1500 to 1250 and 1000, without success.

What else can be causing this?


Jochem



IOLAN B.V. • Mon Plaisir 26 • 4879 AN Etten-Leur • The Netherlands
T +31 (0)76 50 26 100 • F +31 (0)76 50 26 199
E iolan at iolan.com • I http://www.iolan.com/

De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend
bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u
verzocht de inhoud niet te gebruiken en de afzender direct te informeren door
het bericht te retourneren.
The information contained in this message may be confidential and is
intended to be exclusively for the addressee. Should you receive this message
unintentionally, please do not use the contents here in and notify the sender
immediately by return e-mail.

-----Oorspronkelijk bericht-----
Van: Freeradius-Users [mailto:freeradius-users-bounces+j.sparla=iolan.com at lists.freeradius.org] Namens L.P.H. van Belle via Freeradius-Users
Verzonden: vrijdag 20 november 2020 16:37
Aan: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
CC: L.P.H. van Belle <belle at bazuin.nl>
Onderwerp: RE: EAP fails on TLS protocol version with Windows 7, works fine with Windows 10

Google KB3140245

and/or
https://manage.accuwebhosting.com/knowledgebase/3008/How-do-I-enable-TLS-1-2-on-Windows-7.html

might help you.

Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: Freeradius-Users
> [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
> ius.org] Namens Jochem Sparla
> Verzonden: vrijdag 20 november 2020 16:33
> Aan: freeradius-users at lists.freeradius.org
> Onderwerp: EAP fails on TLS protocol version with Windows 7, works
> fine with Windows 10
>
> I have a setup with a Windows 7 and Windows 10 computer authenticating
> with FreeRADIUS 3.0.20 running on Ubuntu 20.04.
>
> The Windows 7 client fails due to a TLS protocol version error:
> (2) eap_peap: TLS_accept: before SSL initialization
> (2) eap_peap: <<< recv TLS 1.3  [length 0062]
> (2) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal
> protocol_version
> (2) eap_peap: ERROR: TLS Alert write:fatal:protocol version
> tls: TLS_accept: Error in error
> (2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read):
> error:14209102:SSL
> routines:tls_early_post_process_client_hello:unsupported protocol
> (2) eap_peap: ERROR: System call (I/O) error (-1)
> (2) eap_peap: ERROR: TLS receive handshake failed during operation
> (2) eap_peap: ERROR: [eaptls process] = fail
> (2) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP
> sub-module failed
> (2) eap: Sending EAP Failure (code 4) ID 3 length 4
> (2) eap: Failed in EAP select
> (2)     [eap] = invalid
> (2)   } # authenticate = invalid
> (2) Failed to authenticate the user
> (2) Using Post-Auth-Type Reject
>
>
> The Windows 10 client, with the same settings on both the client,
> switch and the same RADIUS server, works fine:
> (2) eap_peap: TLS_accept: before SSL initialization
> (2) eap_peap: <<< recv TLS 1.3  [length 0097]
> (2) eap_peap: TLS_accept: SSLv3/TLS read client hello
> (2) eap_peap: >>> send TLS 1.2  [length 003d]
> (2) eap_peap: TLS_accept: SSLv3/TLS write server hello
> (2) eap_peap: >>> send TLS 1.2  [length 0308]
> (2) eap_peap: TLS_accept: SSLv3/TLS write certificate
> (2) eap_peap: >>> send TLS 1.2  [length 014d]
> (2) eap_peap: TLS_accept: SSLv3/TLS write key exchange
> (2) eap_peap: >>> send TLS 1.2  [length 0004]
> (2) eap_peap: TLS_accept: SSLv3/TLS write server done
> (2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write
> server done
> (2) eap_peap: TLS - In Handshake Phase
> (2) eap_peap: TLS - got 1194 bytes of data
> (2) eap_peap: [eaptls process] = handled
> (2) eap: Sending EAP Request (code 1) ID 4 length 1004
> (2) eap: EAP session adding &reply:State = 0x30a058ae32a441c4
> (2)     [eap] = handled
> (2)   } # authenticate = handled
> (2) Using Post-Auth-Type Challenge
>
>
> TLS is configured in mods-enabled/eap:
> tls_max_version = "1.2"
> tls_min_version = "1.0"
>
>
> I have been breaking my head and searching this for multiple days.
> The problem does not seem to be in the lack of TLS 1.3 support in
> FreeRADIUS/OpenSSL1.1.1f, because the Win10 client works fine. It
> starts by asking for TLS 1.3, but gets set to TLS 1.2 and works.
> I seems my standard Windows 7 client (fully up to date) sends a bad
> TLS message, but I have no clue where to look for a solution.
>
>
> Thanks in advance,  Jochem
>
>
> IOLAN B.V. • Mon Plaisir 26 • 4879 AN Etten-Leur • The Netherlands
> T +31 (0)76 50 26 100 • F +31 (0)76 50 26 199
> E iolan at iolan.com • I http://www.iolan.com/
>
> De informatie opgenomen in dit bericht kan vertrouwelijk zijn
> en is uitsluitend
> bestemd voor de geadresseerde. Indien u dit bericht onterecht
> ontvangt, wordt u
> verzocht de inhoud niet te gebruiken en de afzender direct te
> informeren door
> het bericht te retourneren.
> The information contained in this message may be confidential and is
> intended to be exclusively for the addressee. Should you
> receive this message
> unintentionally, please do not use the contents here in and
> notify the sender
> immediately by return e-mail.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list