ERROR: TLS Alert write:fatal:protocol version
Christoph Litauer
litauer at uni-koblenz.de
Thu Jul 1 12:08:04 CEST 2021
Dear freeradius-users,
after googling, reading and debugging for about 3 days now, maybe the community is able to help: Since moving our radius to ubuntu 20.0.4 some of our users are not able to authenticate using peap. The error message in radius.log is kind of
Mon Jun 28 16:02:17 2021 : ERROR: (370) eap_peap: ERROR: TLS Alert write:fatal:protocol version
Mon Jun 28 16:02:17 2021 : Error: tls: TLS_accept: Error in error
Mon Jun 28 16:02:17 2021 : Auth: (370) Login incorrect (eap_peap: TLS Alert write:fatal:protocol version): [eduroam at uni-koblenz.de] (from client Unifi AccessPoints port 0 cli ...
Most of these client seem to be very old (macOS El Capitan, iOS 10.x) but not all of them. My suggestion is, that these clients try to use TLS 1.0. So I excerpted a debug log with freeradius -X (attached). Indeed I can see
(197) eap_peap: <<< recv TLS 1.3 [length 0062]
(197) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
So I changed the following lines in mods-enables/eap:
# disable_tlsv1_2 = no
# disable_tlsv1_1 = yes
# disable_tlsv1 = yes
tls_min_version = "1.0"
tls_max_version = "1.2"
Restarted radius, but no change at all. Any help is greatly appreciated! Thanks in advance!
--
Kind regards
Christoph
_________________________________________
Uni Koblenz, Computing Centre, Office A 022
Postfach 201602, 56016 Koblenz
Fon: +49 261 287-1311, Fax: -100 1311
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tls.log
Type: application/octet-stream
Size: 55273 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20210701/ee513d87/attachment-0001.obj>
More information about the Freeradius-Users
mailing list