TLS errors and clients sometimes rejected

Rodrigo Abrantes Antunes rodrigoantunes at pelotas.ifsul.edu.br
Wed Sep 18 12:02:02 UTC 2024 


> On Sep 17, 2024, at 12:46 PM, Rodrigo Abrantes Antunes  
> <rodrigoantunes at pelotas.ifsul.edu.br> wrote:
>> ## REJECTED
>> ..
>> (911) eap_peap: (TLS) send TLS 1.2 Alert, fatal protocol_version
>> (911) eap_peap: ERROR: (TLS) Alert write:fatal:protocol version
>
> Ah, that's the other end saying it doesn't like the protocol version  
> which FreeRADIUS is using.
>
> It should negotiate a mutually compatible TLS version, but... whatever.
>
>> Doesn't cipher_list = "DEFAULT at SECLEVEL=0" says the server to  
>> support the old ciphers?
>
> That configuratio tells OpenSSL to support the old ciphers.  Mostly.
>
> Some newer OS distributions have removed support for old TLS  
> versions from OpenSSL.  You will need to investigate your local OS  
> to see what it supports, and what TLS versions are supported by the  
> OpenSSL libraries.
>
> Again... this isn't a FreeRADIUS issue.  No amount of poking  
> FreeRADIUS will get OpenSSL to support TLS 1.0 with triple-DES, if  
> that's what the clients are using.  You night just need to upgrade  
> the client, or build a custom version of OpenSSL.
>
>> Configure OpenSSL (e.g. cipher_list) so that it works with a new  
>> version of OpenSSL.  Or, use an old version of OpenSSL.  There  
>> really aren't many other choices.
>>
>> What are the other choices possible?
>
> Live with the fact the some devices won't work, because they're too old.
>  

What can explain that sometimes the same clients get accepted? I have  
sent the accept log in the other email.

I kick the user from the wireless controller and it get accepted, but  
after some time it get rejected but soon it get accepted again, it  
seems to be random (see below).

Could be that the client or the server is doing some kind of failover?  
Trying one version, if it dont work try another? If yes, is this  
configurable?



2024-09-17T13:34:00.037165-03:00 ifs01sv004 radiusd[124150]: (4131)  
Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc  
port 1 cli 70-18-8b-fd-8f-e5)
2024-09-17T13:34:18.500907-03:00 ifs01sv004 radiusd[124150]: (4757)    
Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc  
port 0 via TLS tunnel)
2024-09-17T13:34:18.504874-03:00 ifs01sv004 radiusd[124150]: (4758)  
Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc  
port 1 cli 2a-93-80-4d-f3-c3)
2024-09-17T13:36:52.439539-03:00 ifs01sv004 radiusd[124150]: (7831)  
Login incorrect (eap_peap: (TLS) Alert write:fatal:protocol version):  
[202011160097/<via Auth-Type = eap>] (from client cisco-wlc port 1 cli  
2a-93-80-4d-f3-c3)
2024-09-17T13:37:58.161709-03:00 ifs01sv004 radiusd[124150]: (9110)    
Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc  
port 0 via TLS tunnel)
2024-09-17T13:37:58.166535-03:00 ifs01sv004 radiusd[124150]: (9112)  
Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc  
port 1 cli 2a-93-80-4d-f3-c3)
2024-09-17T13:38:19.715578-03:00 ifs01sv004 radiusd[124150]: (9543)    
Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc  
port 0 via TLS tunnel)
2024-09-17T13:38:19.720846-03:00 ifs01sv004 radiusd[124150]: (9544)  
Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc  
port 1 cli 2a-93-80-4d-f3-c3)
2024-09-17T13:38:54.160824-03:00 ifs01sv004 radiusd[124150]: (10034)    
Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc  
port 0 via TLS tunnel)
2024-09-17T13:38:54.171994-03:00 ifs01sv004 radiusd[124150]: (10035)  
Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc  
port 1 cli 2a-93-80-4d-f3-c3)
2024-09-17T13:41:08.645238-03:00 ifs01sv004 radiusd[124150]: (11986)    
Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc  
port 0 via TLS tunnel)
2024-09-17T13:41:08.650699-03:00 ifs01sv004 radiusd[124150]: (11987)  
Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc  
port 1 cli 2a-93-80-4d-f3-c3)
2024-09-17T13:43:23.660156-03:00 ifs01sv004 radiusd[124150]: (14127)  
Login incorrect (eap_peap: (TLS) Alert write:fatal:protocol version):  
[202011160097/<via Auth-Type = eap>] (from client cisco-wlc port 1 cli  
2a-93-80-4d-f3-c3)
2024-09-17T13:43:38.674200-03:00 ifs01sv004 radiusd[124150]: (14462)    
Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc  
port 0 via TLS tunnel)
2024-09-17T13:43:38.678449-03:00 ifs01sv004 radiusd[124150]: (14463)  
Login OK: [202011160097/<via Auth-Type = eap>] (from client cisco-wlc  
port 1 cli 2a-93-80-4d-f3-c3)

More information about the Freeradius-Users mailing list