FreeRadius 3.0.17 - TLS issue

Discussion:

Thorsten Fritsch

2018-11-27 17:37:40 UTC

Dear All,

we're running FR 3.0.17 and currently have some trouble with Windows 10 Clients which since just recently no longer can
connect to the PEAP/MS-CHAPv2-based eduroam network.

According to the radius debug log the FR server sends an Access Accept to the NAS (Cisco WLC) but it then terminates
with the information: ERROR: eap_peap: TLS Alert write:fatal:protocol version

53282519) Tue Nov 27 16:07:35 2018: Debug: Sent Access-Accept Id 251 from 131.152.21.100:1812 to 10.33.6.2:54247 length 0
(53282519) Tue Nov 27 16:07:35 2018: Debug: Tunnel-Type = VLAN
(53282519) Tue Nov 27 16:07:35 2018: Debug: Tunnel-Medium-Type = IEEE-802
(53282519) Tue Nov 27 16:07:35 2018: Debug: Tunnel-Private-Group-Id = "822"
(53282519) Tue Nov 27 16:07:35 2018: Debug: User-Name := "***@unibas.ch"
(53282519) Tue Nov 27 16:07:35 2018: Debug: Chargeable-User-Identity := 0x36353637356537306236383335323162656233383262323062616538613935393935303934323763
(53282519) Tue Nov 27 16:07:35 2018: Debug: MS-MPPE-Recv-Key = 0xde555d4feda0c69ee0c251195d63e1d0f81618a8781522cbe398610d7df41745
(53282519) Tue Nov 27 16:07:35 2018: Debug: MS-MPPE-Send-Key = 0xb3a46cb36458a0dda59935105ffc8bfd38e4141952800b3bb9f989192ada38b0
(53282519) Tue Nov 27 16:07:35 2018: Debug: EAP-Message = 0x030c0004
(53282519) Tue Nov 27 16:07:35 2018: Debug: Message-Authenticator = 0x00000000000000000000000000000000
(53282519) Tue Nov 27 16:07:35 2018: Debug: Finished request
(53282373) Tue Nov 27 16:07:38 2018: Debug: Cleaning up request packet ID 241 with timestamp +2433639
(53282375) Tue Nov 27 16:07:38 2018: Debug: Cleaning up request packet ID 242 with timestamp +2433639
(53282376) Tue Nov 27 16:07:38 2018: Debug: Cleaning up request packet ID 243 with timestamp +2433639
(53282378) Tue Nov 27 16:07:38 2018: Debug: Cleaning up request packet ID 244 with timestamp +2433639
(53282379) Tue Nov 27 16:07:38 2018: Debug: Cleaning up request packet ID 245 with timestamp +2433639
(53282380) Tue Nov 27 16:07:38 2018: Debug: Cleaning up request packet ID 246 with timestamp +2433639
(53282493) Tue Nov 27 16:07:39 2018: Debug: Cleaning up request packet ID 247 with timestamp +2433640
(53282497) Tue Nov 27 16:07:39 2018: Debug: Cleaning up request packet ID 248 with timestamp +2433640
(53282502) Tue Nov 27 16:07:39 2018: Debug: Cleaning up request packet ID 249 with timestamp +2433640
(53282509) Tue Nov 27 16:07:40 2018: Debug: Cleaning up request packet ID 250 with timestamp +2433640
(53282519) Tue Nov 27 16:07:40 2018: Debug: Cleaning up request packet ID 251 with timestamp +2433641
(53283340) Tue Nov 27 16:07:46 2018: ERROR: eap_peap: TLS Alert write:fatal:protocol version

It looks like a TLS mismtach but not sure. Any experiences with this ? Which TLS versions are supported by FR 3.0.17 ?

Thanks and BR,
Thorsten

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users

Alan DeKok

2018-11-28 11:48:50 UTC

Permalink

Post by Thorsten Fritsch
we're running FR 3.0.17 and currently have some trouble with Windows 10 Clients which since just recently no longer can
connect to the PEAP/MS-CHAPv2-based eduroam network.
According to the radius debug log the FR server sends an Access Accept to the NAS (Cisco WLC) but it then terminates
with the information: ERROR: eap_peap: TLS Alert write:fatal:protocol version

Likely due to TLS 1.2.

Post by Thorsten Fritsch
53282519) Tue Nov 27 16:07:35 2018: Debug: Sent Access-Accept Id 251 from 131.152.21.100:1812 to 10.33.6.2:54247 length 0
(53282519) Tue Nov 27 16:07:35 2018: Debug: Tunnel-Type = VLAN

Don't sent "radiusd -Xx" please... all of the documentation says to just use "radiusd -X".

Post by Thorsten Fritsch
It looks like a TLS mismtach but not sure. Any experiences with this ? Which TLS versions are supported by FR 3.0.17 ?

FreeRADIUS uses OpenSSL for TLS. So check your OpenSSL library.

Odds are that you're running a version / OS which is a few years old, and doesn't support TLS 1.2. You'll have to upgrade to a recent release of OpenSSL in order to fix that.

Which likely means upgrading the entire OS, as OpenSSL is used by many applications.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.or

Arran Cudbard-Bell

2018-11-29 01:26:17 UTC

Permalink

Post by Alan DeKok

Likely due to TLS 1.2.

Don't sent "radiusd -Xx" please... all of the documentation says to just use "radiusd -X".

Post by Thorsten Fritsch
It looks like a TLS mismtach but not sure. Any experiences with this ? Which TLS versions are supported by FR 3.0.17 ?

radiusd -Xv should show you the version of OpenSSL the server is linked against.

-Arran
-
List info/subscribe/unsub

Thorsten Fritsch

2018-11-29 14:19:20 UTC

Permalink

Thanks.

we're running on Ubuntu 16.04.5 LTS. Sorry about the very verbose debug output. I took it with raddebug and
didn't know that's very verbose by default. Will take it to heart next time...

Unfortunately freeradius -Xv doesn't show the linked OpenSSL server on our system:

***@its-edurad-qm:~# freeradius -Xv
radiusd: FreeRADIUS Version 3.0.17, for host x86_64-pc-linux-gnu
FreeRADIUS Version 3.0.17
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT

It really seems to go into that direction - I found the following article: https://support.microsoft.com/en-us/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment

Thanks-
Thorsten

From: arr2036 [via FreeRADIUS] <ml+***@n5.nabble.com>
Sent: Thursday, 29 November 2018 02:27
To: Thorsten Fritsch <***@unibas.ch>
Subject: Re: FreeRadius 3.0.17 - TLS issue

Post by Alan DeKok

Likely due to TLS 1.2.

Don't sent "radiusd -Xx" please... all of the documentation says to just use "radiusd -X".

Post by Thorsten Fritsch
It looks like a TLS mismtach but not sure. Any experiences with this ? Which TLS versions are supported by FR 3.0.17 ?

radiusd -Xv should show you the version of OpenSSL the server is linked against.

-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
________________________________
If you reply to this email, your message will be added to the discussion below:
http://freeradius.1045715.n5.nabble.com/FreeRadius-3-0-17-TLS-issue-tp5752761p5752781.html
To unsubscribe from Users, click here<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2740693&code=dGhvcnN0ZW4uZnJpdHNjaEB1bmliYXMuY2h8Mjc0MDY5M3w1ODEyOTcyNzM=>.
NAML<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
-
List info/subscribe/unsubscribe? See http://www.free

Alan DeKok

2018-11-29 14:24:02 UTC

Permalink

Post by Thorsten Fritsch
we're running on Ubuntu 16.04.5 LTS. Sorry about the very verbose debug output. I took it with raddebug and
didn't know that's very verbose by default. Will take it to heart next time...

Thorsten Fritsch

2018-11-29 14:31:36 UTC

Permalink

Hi Alan,

thanks. It looks like we're linked to 1.0.2g

***@its-edurad-qm:~# freeradius -Xxv
Thu Nov 29 15:29:10 2018 : Info: radiusd: FreeRADIUS Version 3.0.17, for host x86_64-pc-linux-gnu
Thu Nov 29 15:29:10 2018 : Debug: tls : yes
Thu Nov 29 15:29:10 2018 : Debug: freeradius-server : 3.0.17
Thu Nov 29 15:29:10 2018 : Debug: ssl : 1.0.2g release

Cheers,
Thorsten

From: Alan DeKok-2 [via FreeRADIUS] <ml+***@n5.nabble.com>
Sent: Thursday, 29 November 2018 15:24
To: Thorsten Fritsch <***@unibas.ch>
Subject: Re: FreeRadius 3.0.17 - TLS issue

This is one of the few cases where more is better. Use "freeradius -Xxv", and you'll get output like this:

Thu Nov 29 09:22:41 2018 : Info: radiusd: FreeRADIUS Version 3.0.18 (git #f2d93cf), for host i386-apple-darwin17.7.0, built on Oct 27 2018 at 08:53:45
Thu Nov 29 09:22:41 2018 : Debug: Server was built with:
Thu Nov 29 09:22:41 2018 : Debug: accounting : yes
...
Thu Nov 29 09:22:41 2018 : Debug: developer : yes
Thu Nov 29 09:22:41 2018 : Debug: Server core libs:
Thu Nov 29 09:22:41 2018 : Debug: freeradius-server : 3.0.18
Thu Nov 29 09:22:41 2018 : Debug: talloc : 2.1.*
Thu Nov 29 09:22:41 2018 : Debug: ssl : 1.0.2p release
Thu Nov 29 09:22:41 2018 : Debug: Endianness:
Thu Nov 29 09:22:41 2018 : Debug: little
Thu Nov 29 09:22:41 2018 : Debug: Compilation flags:
...

Which is very useful.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
________________________________
If you reply to this email, your message will be added to the discussion below:
http://freeradius.1045715.n5.nabble.com/FreeRadius-3-0-17-TLS-issue-tp5752761p5752788.html
To unsubscribe from Users, click here<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2740693&code=dGhvcnN0ZW4uZnJpdHNjaEB1bmliYXMuY2h8Mjc0MDY5M3w1ODEyOTcyNzM=>.
NAML<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
-
List info/subscribe/unsubscribe? See ht

Alan DeKok

2018-11-29 14:35:06 UTC

Permalink

Post by Thorsten Fritsch
thanks. It looks like we're linked to 1.0.2g

Then it should support TLS 1.2.

If the Windows 10 boxes don't like it, ask Microsoft for assistance. :(

Alan DeKok.

-
List info/subscribe/unsu

Thorsten Fritsch

2018-11-29 14:45:36 UTC

Permalink

Thanks Alan will pass on the ball to our Windows guys

Thorsten

From: Alan DeKok-2 [via FreeRADIUS] <ml+***@n5.nabble.com>
Sent: Thursday, 29 November 2018 15:35
To: Thorsten Fritsch <***@unibas.ch>
Subject: Re: FreeRadius 3.0.17 - TLS issue

Post by Thorsten Fritsch
thanks. It looks like we're linked to 1.0.2g

Then it should support TLS 1.2.

If the Windows 10 boxes don't like it, ask Microsoft for assistance. :(

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
________________________________
If you reply to this email, your message will be added to the discussion below:
http://freeradius.1045715.n5.nabble.com/FreeRadius-3-0-17-TLS-issue-tp5752761p5752790.html
To unsubscribe from Users, click here<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2740693&code=dGhvcnN0ZW4uZnJpdHNjaEB1bmliYXMuY2h8Mjc0MDY5M3w1ODEyOTcyNzM=>.
NAML<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
-
List info/subscribe/unsubscribe? See

Matthew Newton

2018-11-30 10:57:48 UTC

Permalink

Post by Thorsten Fritsch
Thanks Alan will pass on the ball to our Windows guys

Also check you've not changed the default values in mods-enabled/eap to
stop 1.2 working, e.g. cipher_list, disable_tlsv1_2, tls_max_version.

--
Matthew

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/