ERROR: TLS Alert write:fatal:protocol version

Christoph Litauer litauer at uni-koblenz.de
Thu Jul 1 12:13:30 CEST 2021


Thanks for your response. You're right! But not all of the failing clients have an outdated os. At least one of them used an up-to-date Android mobile ...

> Am 01.07.2021 um 12:10 schrieb L.P.H. van Belle via Freeradius-Users <freeradius-users at lists.freeradius.org>:
> 
> These clients should upgrade the pc/os. 
> 
> I would say, 
> Dont make "there" outdated computers your problem by lowering your security. 
> Why waist your time om that.  
> 
>> -----Oorspronkelijk bericht-----
>> Van: Freeradius-Users 
>> [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
>> ius.org] Namens Christoph Litauer
>> Verzonden: donderdag 1 juli 2021 12:08
>> Aan: Freeradius-Users at lists.freeradius.org
>> Onderwerp: ERROR: TLS Alert write:fatal:protocol version
>> 
>> Dear freeradius-users,
>> 
>> after googling, reading and debugging for about 3 days now, 
>> maybe the community is able to help: Since moving our radius 
>> to ubuntu 20.0.4 some of our users are not able to 
>> authenticate using peap. The error message in radius.log is kind of
>> 
>> Mon Jun 28 16:02:17 2021 : ERROR: (370) eap_peap: ERROR: TLS 
>> Alert write:fatal:protocol version
>> Mon Jun 28 16:02:17 2021 : Error: tls: TLS_accept: Error in error
>> Mon Jun 28 16:02:17 2021 : Auth: (370) Login incorrect 
>> (eap_peap: TLS Alert write:fatal:protocol version): 
>> [eduroam at uni-koblenz.de] (from client Unifi AccessPoints port 
>> 0 cli ...
>> 
>> Most of these client seem to be very old (macOS El Capitan, 
>> iOS 10.x) but not all of them. My suggestion is, that these 
>> clients try to use TLS 1.0. So I excerpted a debug log with 
>> freeradius -X (attached). Indeed I can see
>> 
>> (197) eap_peap: <<< recv TLS 1.3  [length 0062]
>> (197) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal 
>> protocol_version
>> 
>> So I changed the following lines in mods-enables/eap:
>>        #       disable_tlsv1_2 = no
>> #               disable_tlsv1_1 = yes
>> #               disable_tlsv1 = yes
>>                tls_min_version = "1.0"
>>                tls_max_version = "1.2"
>> 
>> Restarted radius, but no change at all. Any help is greatly 
>> appreciated! Thanks in advance!
>> 
>> --
>> Kind regards
>> Christoph
>> _________________________________________
>> Uni Koblenz, Computing Centre, Office A 022    
>> Postfach 201602, 56016 Koblenz     
>> Fon: +49 261 287-1311, Fax: -100 1311
>> 
>> 
>> 
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Freundliche Grüße
Christoph Litauer
_________________________________________
Uni Koblenz, Rechenzentrum, Raum A 022    
Postfach 201602, 56016 Koblenz     
Fon: +49 261 287-1311, Fax: -100 1311








More information about the Freeradius-Users mailing list