freeradius - TLS1.3 support
Akhil Pillai
akhilpillai101 at gmail.com
Fri Feb 14 15:19:17 UTC 2025
Hello All,
I have been facing an issue with using tls1.3 in the freeradius.
I have been using OpenWrt OS 24.10-rc2 hosted on a linksys router 3200acm.
I have been using freeradius 3.2.5 and openssl 3.0.15. I am trying to
setup a cert based authentication. My client is a linux system. My setup
works fine when i set the tls min,max to 1.2 in the eap. Now i wanted to
use it with tls1.3 and below is the error message that i am getting at the
radius server:
(2) Finished request
Waking up in 0.1 seconds.
(3) Received Access-Request Id 25 from 127.0.0.1:48027 to 127.0.0.1:1812
length 414
(3) Message-Authenticator = 0xc98320007899b6bb4770df4b55e42006
(3) User-Name = "user"
(3) NAS-IP-Address = 127.0.0.1
(3) NAS-Identifier = "24f5a2c3707a"
(3) Called-Station-Id = "24-F5-A2-C3-70-7A:WIFI_LNK_5G"
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) NAS-Port = 1
(3) Calling-Station-Id = "C0-EE-40-45-49-8C"
(3) Connect-Info = "CONNECT 54Mbps 802.11a"
(3) Acct-Session-Id = "6F4499DCFDDEF213"
(3) Attr-186 = 0x000fac04
(3) Attr-187 = 0x000fac04
(3) Attr-188 = 0x000fac01
(3) Framed-MTU = 1400
(3) EAP-Message =
0x02ff00c40d0016030100b9010000b503036218c045b79856a9894150ad6bbca3a09f0e1cd0191899d60097eb7db525a122000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000054000b000403000102000a000c000a001d0017001e001900180016000000170000000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602
(3) State = 0xeafcdefdea03d3f8dbd1dcc1dd69fc85
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 994
(3) # Executing section authorize from file
/etc/freeradius3/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "user", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 255 length 196
(3) eap: No EAP Start, assuming it's an on-going EAP conversation
(3) [eap] = updated
(3) [files] = noop
(3) [expiration] = noop
(3) [logintime] = noop
(3) [pap] = noop
(3) } # authorize = updated
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius3/sites-enabled/default
(3) authenticate {
(3) eap: Removing EAP session with state 0xeafcdefdea03d3f8
(3) eap: Previous EAP request found for state 0xeafcdefdea03d3f8, released
from the list
(3) eap: Peer sent packet with method EAP TLS (13)
(3) eap: Calling submodule eap_tls to process data
(3) eap_tls: (TLS) EAP Got final fragment (190 bytes)
(3) eap_tls: WARNING: (TLS) EAP Total received record fragments (190
bytes), does not equal expected expected data length (0 bytes)
(3) eap_tls: (TLS) EAP Done initial handshake
(3) eap_tls: (TLS) TLS - Handshake state - before SSL initialization
(3) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization
(3) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization
(3) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello
(3) eap_tls: (TLS) TLS - send TLS 1.2 Alert, fatal protocol_version
(3) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:protocol version
(3) eap_tls: ERROR: (TLS) TLS - Server : Error in error
(3) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000102:SSL
routines::unsupported protocol
(3) eap_tls: ERROR: (TLS) System call (I/O) error (-1)
(3) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation
(3) eap_tls: ERROR: [eaptls process] = fail
(3) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module
failed
(3) eap: Sending EAP Failure (code 4) ID 255 length 4
(3) eap: Failed in EAP select
(3) [eap] = invalid
(3) } # authenticate = invalid
(3) Failed to authenticate the user
(3) Using Post-Auth-Type Reject
(3) # Executing group from file /etc/freeradius3/sites-enabled/default
(3) Post-Auth-Type REJECT {
(3) attr_filter.access_reject: EXPAND %{User-Name}
(3) attr_filter.access_reject: --> user
(3) attr_filter.access_reject: Matched entry DEFAULT at line 11
(3) [attr_filter.access_reject] = updated
(3) [eap] = noop
(3) policy remove_reply_message_if_eap {
(3) if (&reply:EAP-Message && &reply:Reply-Message) {
(3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(3) else {
(3) [noop] = noop
(3) } # else = noop
(3) } # policy remove_reply_message_if_eap = noop
(3) } # Post-Auth-Type REJECT = updated
(3) Delaying response for 1.000000 seconds
(0) Cleaning up request packet ID 22 with timestamp +589 due to
cleanup_delay was reached
(1) Cleaning up request packet ID 23 with timestamp +589 due to
cleanup_delay was reached
Waking up in 0.2 seconds.
Waking up in 0.6 seconds.
(3) Sending delayed response
(3) Sent Access-Reject Id 25 from 127.0.0.1:1812 to 127.0.0.1:48027 length
44
(3) EAP-Message = 0x04ff0004
(3) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
I did update the eap file tls_min_version and tls_max_version to 1.3
Any help is highly appreciated.
-Akhil
More information about the Freeradius-Users
mailing list