ERROR: TLS Alert write:fatal:protocol version
Patrick Oberli
patrick.oberli at ost.ch
Thu Jul 1 12:37:11 CEST 2021
Ask that user (I assume you talk about eduroam) to use the new "geteduroam" app: https://play.google.com/store/apps/details?id=app.eduroam.geteduroam&hl=en&gl=US
Maybe he got some old configuration on his mobile that enforces TLS 1.0 (not sure if that is possible though).
HINWEIS Ich habe eine neue E-Mailadresse:
Patrick.oberli at ost.ch
Freundliche Grüsse
ICT - IT-Infrastructure
Netzwerk- und Multimediateam
Patrick Oberli
Tel direkt: +41 58 257 4958
Email: patrick.oberli at ost.ch
OST – Ostschweizer Fachhochschule
ICT Information & Communication Technology | Oberseestrasse 10 | 8640 Rapperswil | Switzerland | https://www.ost.ch
OST – Ostschweizer Fachhochschule ist der Zusammenschluss aus HSR Rapperswil, FHS St.Gallen und NTB Buchs.
-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+patrick.oberli=ost.ch at lists.freeradius.org> On Behalf Of Christoph Litauer
Sent: Donnerstag, 1. Juli 2021 12:14
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: ERROR: TLS Alert write:fatal:protocol version
Thanks for your response. You're right! But not all of the failing clients have an outdated os. At least one of them used an up-to-date Android mobile ...
> Am 01.07.2021 um 12:10 schrieb L.P.H. van Belle via Freeradius-Users <freeradius-users at lists.freeradius.org>:
>
> These clients should upgrade the pc/os.
>
> I would say,
> Dont make "there" outdated computers your problem by lowering your security.
> Why waist your time om that.
>
>> -----Oorspronkelijk bericht-----
>> Van: Freeradius-Users
>> [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
>> ius.org] Namens Christoph Litauer
>> Verzonden: donderdag 1 juli 2021 12:08
>> Aan: Freeradius-Users at lists.freeradius.org
>> Onderwerp: ERROR: TLS Alert write:fatal:protocol version
>>
>> Dear freeradius-users,
>>
>> after googling, reading and debugging for about 3 days now, maybe the
>> community is able to help: Since moving our radius to ubuntu 20.0.4
>> some of our users are not able to authenticate using peap. The error
>> message in radius.log is kind of
>>
>> Mon Jun 28 16:02:17 2021 : ERROR: (370) eap_peap: ERROR: TLS Alert
>> write:fatal:protocol version Mon Jun 28 16:02:17 2021 : Error: tls:
>> TLS_accept: Error in error Mon Jun 28 16:02:17 2021 : Auth: (370)
>> Login incorrect
>> (eap_peap: TLS Alert write:fatal:protocol version):
>> [eduroam at uni-koblenz.de] (from client Unifi AccessPoints port
>> 0 cli ...
>>
>> Most of these client seem to be very old (macOS El Capitan, iOS 10.x)
>> but not all of them. My suggestion is, that these clients try to use
>> TLS 1.0. So I excerpted a debug log with freeradius -X (attached).
>> Indeed I can see
>>
>> (197) eap_peap: <<< recv TLS 1.3 [length 0062]
>> (197) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal
>> protocol_version
>>
>> So I changed the following lines in mods-enables/eap:
>> # disable_tlsv1_2 = no
>> # disable_tlsv1_1 = yes
>> # disable_tlsv1 = yes
>> tls_min_version = "1.0"
>> tls_max_version = "1.2"
>>
>> Restarted radius, but no change at all. Any help is greatly
>> appreciated! Thanks in advance!
>>
>> --
>> Kind regards
>> Christoph
>> _________________________________________
>> Uni Koblenz, Computing Centre, Office A 022
>> Postfach 201602, 56016 Koblenz
>> Fon: +49 261 287-1311, Fax: -100 1311
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
Freundliche Grüße
Christoph Litauer
_________________________________________
Uni Koblenz, Rechenzentrum, Raum A 022
Postfach 201602, 56016 Koblenz
Fon: +49 261 287-1311, Fax: -100 1311
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list