TLS Alert read:fatal:internal error

Piotr Rudzki ryba.lodz at gmail.com
Thu May 27 19:06:38 CEST 2021 

 I've strange problem with freeradius. It was working as expected and
suddenly stopped authenticate wpa2-eap users to active directory.

I've recreated whole VM with freeradius server without success.

Same credentials work for ikev2 mschapv2 authentication but not for
wireless wpa2-eap (android and windows clients). Am I missing something?

Below debug log with error:

(9) eap: Expiring EAP session with state 0x977b062a947f1f7c
(9) eap: Finished EAP session with state 0x977b062a947f1f7c
(9) eap: Previous EAP request found for state 0x977b062a947f1f7c, released
from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: Peer indicated complete TLS record size will be 7 bytes
(9) eap_peap: Got complete TLS record (7 bytes)
(9) eap_peap: [eaptls verify] = length included
(9) eap_peap: <<< recv TLS 1.2  [length 0002]
(9) eap_peap: ERROR: TLS Alert read:fatal:internal error
(9) eap_peap: TLS_accept: Need to read more data: error
(9) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094438:SSL
routines:ssl3_read_bytes:tlsv1 alert internal error
(9) eap_peap: TLS - In Handshake Phase
(9) eap_peap: TLS - Application data.
(9) eap_peap: ERROR: TLS failed during operation
(9) eap_peap: ERROR: [eaptls process] = fail
(9) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module
failed
(9) eap: Sending EAP Failure (code 4) ID 4 length 4
(9) eap: Failed in EAP select
(9)     [eap] = invalid
(9)   } # authenticate = invalid
(9) Failed to authenticate the user
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(9)   Post-Auth-Type REJECT {
(9) attr_filter.access_reject: EXPAND %{User-Name}
(9) attr_filter.access_reject:    --> some_domain\\some_user
(9) attr_filter.access_reject: Matched entry DEFAULT at line 11
(9)     [attr_filter.access_reject] = updated
(9)     [eap] = noop
(9)     policy remove_reply_message_if_eap {
(9)       if (&reply:EAP-Message && &reply:Reply-Message) {
(9)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(9)       else {
(9)         [noop] = noop
(9)       } # else = noop
(9)     } # policy remove_reply_message_if_eap = noop
(9)   } # Post-Auth-Type REJECT = updated

More information about the Freeradius-Users mailing list