openssl FIPS mode
Alan DeKok
aland at deployingradius.com
Thu Nov 7 18:10:45 UTC 2024
On Nov 7, 2024, at 6:02 PM, Timothy J. Ebben via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> I have set up a FreeRADIUS server to interface with a Cisco managed switch. I am able to authenticate supplicants using the EAP-TLS protocol. When I activate FIPS mode in openssl (v3.1.5), I get the following debug output:
>
> Ready to process requests
> (5) Received Access-Request Id 62 from 192.168.5.132:49205 to 192.168.5.83:1812 length 131
> Dropping packet without response because of error: Received packet from 192.168.5.132 with invalid Message-Authenticator! (Shared secret is incorrect.) (from client cisco)
FIPS mode disables MD5. How exactly it does that depends on OpenSSL.
Just checking, and it looks like we don't explicitly enable FIPS mode. That's likely good to add.
> I know the shared secret is correct, because it works when not in FIPS mode. The shared secret is 15 characters long and includes uppercase and lowercase letters, numbers, and special characters.
>
> Do I need additional configuration?
No.
Don't enable FIPS mode. The RADIUS protocol uses MD5. MS-CHAP uses MD4.
Alan DeKok.
More information about the Freeradius-Users
mailing list