Internal error during EAP-FAST
Sebastian
radius at wehle.dev
Thu Oct 29 12:47:27 CET 2020
Ah, I read that it doesn't support 1.3 (that's why I had 1.2 set) but
I missed the note about 1.2/1.1. Thanks.
So now freeradius sends a response, but it still ends up with:
(2) eap: Calling submodule eap_fast to process data
(2) eap_fast: Authenticate
(2) eap_fast: Continuing EAP-TLS
(2) eap_fast: [eaptls verify] = ok
(2) eap_fast: Done initial handshake
(2) eap_fast: (other): before SSL initialization
(2) eap_fast: TLS_accept: before SSL initialization
(2) eap_fast: TLS_accept: before SSL initialization
(2) eap_fast: <<< recv TLS 1.3 [length 005a]
(2) eap_fast: >>> send TLS 1.1 [length 0002]
(2) eap_fast: ERROR: TLS Alert write:fatal:handshake failure
tls: TLS_accept: Error in error
(2) eap_fast: ERROR: Failed in __FUNCTION__ (SSL_read):
error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared
cipher
(2) eap_fast: ERROR: System call (I/O) error (-1)
(2) eap_fast: ERROR: TLS receive handshake failed during operation
(2) eap_fast: ERROR: [eaptls process] = fail
(2) eap: ERROR: Failed continuing EAP FAST (43) session. EAP sub-module failed
(2) eap: Sending EAP Failure (code 4) ID 209 length 4
cipher_list is set to "ALL:!EXPORT:!eNULL:!SSLv2 at SECLEVEL=0" in fast
{...} and "ALL:!EXPORT:!eNULL:!SSLv2" in tls-config tls-common { ...}
as the comments in mods-available/eap suggest.
Does that mean that the access point insists on a newer version of TLS?
Thanks
Sebastian
Am Do., 29. Okt. 2020 um 12:37 Uhr schrieb Alan DeKok
<aland at deployingradius.com>:
>
> On Oct 29, 2020, at 5:14 AM, Sebastian <radius at wehle.dev> wrote:
> >
> > I try to do an 802.1x authentication of Cisco access points on Aruba
> > switches against Freeradius 3.0.21-1 under Debian 10.6.
> >
> > The APs prefer to do EAP-FAST so I enabled the relevant parts in
> > modules-enabled/eap but whenever a EAP-FAST request arrives now, it
> > throws this:
> > (2) eap: Calling submodule eap_fast to process data
> > (2) eap_fast: Authenticate
> > (2) eap_fast: Continuing EAP-TLS
> > (2) eap_fast: [eaptls verify] = ok
> > (2) eap_fast: Done initial handshake
> > (2) eap_fast: (other): before SSL initialization
> > (2) eap_fast: >>> send TLS 1.3 [length 0002]
>
> There is no standard for using TLS 1.3 with *any* EAP method.
>
> The EAP-FAST implementation in FreeRADIUS uses only TLS 1.1.
>
> > I tried to change tls_max_version from 1.2 to 1.3 but that didn't
> > change anything.
>
> Change it to 1.1.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list