EAP TLS fatal protocol version

roudi at rjbsoft.co.za roudi at rjbsoft.co.za
Sat Jun 24 16:52:30 UTC 2023 

Hi,
I recently got a VPS for my RADIUS server as I am having issues keeping 
my local server online due to prolonged rolling blackouts.

My new server is Ubuntu 22.04.2 and I have installed the latest 
FreeRADIUS v3.2.3 and I am using MySQL. My FreeRADIUS server is working 
perfectly for PPPoE authentication on Mikrotik. My problem comes in on 
my Ubiquiti Sectors where I have WPA2-Enterprise Authentication on the 
WiFi devices. My old server is running Ubuntu 18 with FreeRadius v3.0, 
and on that server my WPA2-Enterprise authentication is working 
perfectly.

The error I am getting on the new server looks like this in the log 
file:

(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: (TLS) EAP Peer says that the final record size will be 62 
bytes
(6) eap_peap: (TLS) EAP Got all data (62 bytes)
(6) eap_peap: (TLS) Handshake state - before SSL initialization
(6) eap_peap: (TLS) Handshake state - Server before SSL initialization
(6) eap_peap: (TLS) Handshake state - Server before SSL initialization
(6) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello
(6) eap_peap: (TLS) send TLS 1.0 Alert, fatal protocol_version
(6) eap_peap: ERROR: (TLS) Alert write:fatal:protocol version
(6) eap_peap: ERROR: (TLS) Server : Error in error
(6) eap_peap: ERROR: (TLS) Failed reading from OpenSSL: 
error:0A000102:SSL routines::unsupported protocol
(6) eap_peap: ERROR: (TLS) System call (I/O) error (-1)
(6) eap_peap: ERROR: (TLS) EAP Receive handshake failed during operation
(6) eap_peap: ERROR: [eaptls process] = fail
(6) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module 
failed
(6) eap: Sending EAP Failure (code 4) ID 1 length 4
(6) eap: Failed in EAP select
(6)     [eap] = invalid
(6)   } # authenticate = invalid
(6) Failed to authenticate the user

The problem looks like the client is sending a TLS 1.3 Handshake, and 
FreeRADIUS is replying with a TLS 1.0 reply. I have also noticed that 
Ubuntu 22 is using OpenSSL 3.0.2 15 and Ubuntu 18 was using OpenSSL 
1.1.1. And this is where, I suspect, my problem is, but I am unsure how 
to get around this.

What I have tried:
* Setting TLS Max version to 1.3 in eap config
* Removing OpenSSL v3.0 and installing OpenSSL v1.1.1 on ubuntu 22, but 
this broke and removed a lot of stuff.
* Downgraded to FreeRADIUS 3.0, same problem.

I could just get a VPS with Ubuntu 18, but this realy defeats the point 
as Ubuntu 18 is almost at end of life, and having the latest OS would be 
a good option.

Is there anyone out there that got WPA2-Enterprise authentication 
working on FreeRADIUS 3.0 or 3.2 on Ubuntu 22?

Thanks
Roudi

More information about the Freeradius-Users mailing list