FreeRadius 3.0.17 - TLS issue

classic Classic list List threaded Threaded
9 messages Options
| Threaded
Open this post in threaded view
|

FreeRadius 3.0.17 - TLS issue

robinson
Dear All,

we're running FR 3.0.17 and currently have some trouble with Windows 10 Clients which since just recently no longer can
connect to the PEAP/MS-CHAPv2-based eduroam network.

According to the radius debug log the FR server sends an Access Accept to the NAS (Cisco WLC) but it then terminates
with the information: ERROR: eap_peap: TLS Alert write:fatal:protocol version

53282519) Tue Nov 27 16:07:35 2018: Debug: Sent Access-Accept Id 251 from 131.152.21.100:1812 to 10.33.6.2:54247 length 0
(53282519) Tue Nov 27 16:07:35 2018: Debug:   Tunnel-Type = VLAN
(53282519) Tue Nov 27 16:07:35 2018: Debug:   Tunnel-Medium-Type = IEEE-802
(53282519) Tue Nov 27 16:07:35 2018: Debug:   Tunnel-Private-Group-Id = "822"
(53282519) Tue Nov 27 16:07:35 2018: Debug:   User-Name := "[hidden email]"
(53282519) Tue Nov 27 16:07:35 2018: Debug:   Chargeable-User-Identity := 0x36353637356537306236383335323162656233383262323062616538613935393935303934323763
(53282519) Tue Nov 27 16:07:35 2018: Debug:   MS-MPPE-Recv-Key = 0xde555d4feda0c69ee0c251195d63e1d0f81618a8781522cbe398610d7df41745
(53282519) Tue Nov 27 16:07:35 2018: Debug:   MS-MPPE-Send-Key = 0xb3a46cb36458a0dda59935105ffc8bfd38e4141952800b3bb9f989192ada38b0
(53282519) Tue Nov 27 16:07:35 2018: Debug:   EAP-Message = 0x030c0004
(53282519) Tue Nov 27 16:07:35 2018: Debug:   Message-Authenticator = 0x00000000000000000000000000000000
(53282519) Tue Nov 27 16:07:35 2018: Debug: Finished request
(53282373) Tue Nov 27 16:07:38 2018: Debug: Cleaning up request packet ID 241 with timestamp +2433639
(53282375) Tue Nov 27 16:07:38 2018: Debug: Cleaning up request packet ID 242 with timestamp +2433639
(53282376) Tue Nov 27 16:07:38 2018: Debug: Cleaning up request packet ID 243 with timestamp +2433639
(53282378) Tue Nov 27 16:07:38 2018: Debug: Cleaning up request packet ID 244 with timestamp +2433639
(53282379) Tue Nov 27 16:07:38 2018: Debug: Cleaning up request packet ID 245 with timestamp +2433639
(53282380) Tue Nov 27 16:07:38 2018: Debug: Cleaning up request packet ID 246 with timestamp +2433639
(53282493) Tue Nov 27 16:07:39 2018: Debug: Cleaning up request packet ID 247 with timestamp +2433640
(53282497) Tue Nov 27 16:07:39 2018: Debug: Cleaning up request packet ID 248 with timestamp +2433640
(53282502) Tue Nov 27 16:07:39 2018: Debug: Cleaning up request packet ID 249 with timestamp +2433640
(53282509) Tue Nov 27 16:07:40 2018: Debug: Cleaning up request packet ID 250 with timestamp +2433640
(53282519) Tue Nov 27 16:07:40 2018: Debug: Cleaning up request packet ID 251 with timestamp +2433641
(53283340) Tue Nov 27 16:07:46 2018: ERROR: eap_peap: TLS Alert write:fatal:protocol version

It looks like a TLS mismtach but not sure. Any experiences with this ? Which TLS versions are supported by FR 3.0.17 ?

Thanks and BR,
Thorsten




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius 3.0.17 - TLS issue

Alan DeKok-2
On Nov 27, 2018, at 12:37 PM, Thorsten Fritsch <[hidden email]> wrote:
> we're running FR 3.0.17 and currently have some trouble with Windows 10 Clients which since just recently no longer can
> connect to the PEAP/MS-CHAPv2-based eduroam network.
>
> According to the radius debug log the FR server sends an Access Accept to the NAS (Cisco WLC) but it then terminates
> with the information: ERROR: eap_peap: TLS Alert write:fatal:protocol version

  Likely due to TLS 1.2.

> 53282519) Tue Nov 27 16:07:35 2018: Debug: Sent Access-Accept Id 251 from 131.152.21.100:1812 to 10.33.6.2:54247 length 0
> (53282519) Tue Nov 27 16:07:35 2018: Debug:   Tunnel-Type = VLAN

  Don't sent "radiusd -Xx" please... all of the documentation says to just use "radiusd -X".

> It looks like a TLS mismtach but not sure. Any experiences with this ? Which TLS versions are supported by FR 3.0.17 ?

  FreeRADIUS uses OpenSSL for TLS.  So check your OpenSSL library.

  Odds are that you're running a version / OS which is a few years old, and doesn't support TLS 1.2.  You'll have to upgrade to a recent release of OpenSSL in order to fix that.

  Which likely means upgrading the entire OS, as OpenSSL is used by many applications.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius 3.0.17 - TLS issue

arr2036


> On Nov 28, 2018, at 6:48 AM, Alan DeKok <[hidden email]> wrote:
>
> On Nov 27, 2018, at 12:37 PM, Thorsten Fritsch <[hidden email]> wrote:
>> we're running FR 3.0.17 and currently have some trouble with Windows 10 Clients which since just recently no longer can
>> connect to the PEAP/MS-CHAPv2-based eduroam network.
>>
>> According to the radius debug log the FR server sends an Access Accept to the NAS (Cisco WLC) but it then terminates
>> with the information: ERROR: eap_peap: TLS Alert write:fatal:protocol version
>
>  Likely due to TLS 1.2.
>
>> 53282519) Tue Nov 27 16:07:35 2018: Debug: Sent Access-Accept Id 251 from 131.152.21.100:1812 to 10.33.6.2:54247 length 0
>> (53282519) Tue Nov 27 16:07:35 2018: Debug:   Tunnel-Type = VLAN
>
>  Don't sent "radiusd -Xx" please... all of the documentation says to just use "radiusd -X".
>
>> It looks like a TLS mismtach but not sure. Any experiences with this ? Which TLS versions are supported by FR 3.0.17 ?
>
>  FreeRADIUS uses OpenSSL for TLS.  So check your OpenSSL library.
>
>  Odds are that you're running a version / OS which is a few years old, and doesn't support TLS 1.2.  You'll have to upgrade to a recent release of OpenSSL in order to fix that.

radiusd -Xv should show you the version of OpenSSL the server is linked against.

-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: FreeRadius 3.0.17 - TLS issue

robinson
Thanks.

we're running on Ubuntu 16.04.5 LTS. Sorry about the very verbose debug output. I took it with raddebug and
didn't know that's very verbose by default. Will take it to heart next time...

Unfortunately freeradius -Xv doesn't show the linked OpenSSL server on our system:

root@its-edurad-qm:~# freeradius -Xv
radiusd: FreeRADIUS Version 3.0.17, for host x86_64-pc-linux-gnu
FreeRADIUS Version 3.0.17
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT

It really seems to go into that direction - I found the following article:  https://support.microsoft.com/en-us/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment

Thanks-
Thorsten






From: arr2036 [via FreeRADIUS] <[hidden email]>
Sent: Thursday, 29 November 2018 02:27
To: Thorsten Fritsch <[hidden email]>
Subject: Re: FreeRadius 3.0.17 - TLS issue



> On Nov 28, 2018, at 6:48 AM, Alan DeKok <[hidden email]</user/SendEmail.jtp?type=node&node=5752781&i=0>> wrote:
>
> On Nov 27, 2018, at 12:37 PM, Thorsten Fritsch <[hidden email]</user/SendEmail.jtp?type=node&node=5752781&i=1>> wrote:
>> we're running FR 3.0.17 and currently have some trouble with Windows 10 Clients which since just recently no longer can
>> connect to the PEAP/MS-CHAPv2-based eduroam network.
>>
>> According to the radius debug log the FR server sends an Access Accept to the NAS (Cisco WLC) but it then terminates
>> with the information: ERROR: eap_peap: TLS Alert write:fatal:protocol version
>
>  Likely due to TLS 1.2.
>
>> 53282519) Tue Nov 27 16:07:35 2018: Debug: Sent Access-Accept Id 251 from 131.152.21.100:1812 to 10.33.6.2:54247 length 0
>> (53282519) Tue Nov 27 16:07:35 2018: Debug:   Tunnel-Type = VLAN
>
>  Don't sent "radiusd -Xx" please... all of the documentation says to just use "radiusd -X".
>
>> It looks like a TLS mismtach but not sure. Any experiences with this ? Which TLS versions are supported by FR 3.0.17 ?
>
>  FreeRADIUS uses OpenSSL for TLS.  So check your OpenSSL library.
>
>  Odds are that you're running a version / OS which is a few years old, and doesn't support TLS 1.2.  You'll have to upgrade to a recent release of OpenSSL in order to fix that.

radiusd -Xv should show you the version of OpenSSL the server is linked against.

-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
________________________________
If you reply to this email, your message will be added to the discussion below:
http://freeradius.1045715.n5.nabble.com/FreeRadius-3-0-17-TLS-issue-tp5752761p5752781.html
To unsubscribe from Users, click here<
NAML<
http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius 3.0.17 - TLS issue

Alan DeKok-2
On Nov 29, 2018, at 9:19 AM, Thorsten Fritsch <[hidden email]> wrote:
>
> we're running on Ubuntu 16.04.5 LTS. Sorry about the very verbose debug output. I took it with raddebug and
> didn't know that's very verbose by default. Will take it to heart next time...
>
> Unfortunately freeradius -Xv doesn't show the linked OpenSSL server on our system:
>
> root@its-edurad-qm:~# freeradius -Xv

  This is one of the few cases where more is better.  Use "freeradius -Xxv", and you'll get output like this:

Thu Nov 29 09:22:41 2018 : Info: radiusd: FreeRADIUS Version 3.0.18 (git #f2d93cf), for host i386-apple-darwin17.7.0, built on Oct 27 2018 at 08:53:45
Thu Nov 29 09:22:41 2018 : Debug: Server was built with:
Thu Nov 29 09:22:41 2018 : Debug:   accounting               : yes
...
Thu Nov 29 09:22:41 2018 : Debug:   developer                : yes
Thu Nov 29 09:22:41 2018 : Debug: Server core libs:
Thu Nov 29 09:22:41 2018 : Debug:   freeradius-server        : 3.0.18
Thu Nov 29 09:22:41 2018 : Debug:   talloc                   : 2.1.*
Thu Nov 29 09:22:41 2018 : Debug:   ssl                      : 1.0.2p release
Thu Nov 29 09:22:41 2018 : Debug: Endianness:
Thu Nov 29 09:22:41 2018 : Debug:   little
Thu Nov 29 09:22:41 2018 : Debug: Compilation flags:
...

  Which is very useful.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: FreeRadius 3.0.17 - TLS issue

robinson
Hi Alan,

thanks. It looks like we're linked to 1.0.2g

root@its-edurad-qm:~# freeradius -Xxv
Thu Nov 29 15:29:10 2018 : Info: radiusd: FreeRADIUS Version 3.0.17, for host x86_64-pc-linux-gnu
Thu Nov 29 15:29:10 2018 : Debug:   tls                      : yes
Thu Nov 29 15:29:10 2018 : Debug:   freeradius-server        : 3.0.17
Thu Nov 29 15:29:10 2018 : Debug:   ssl                      : 1.0.2g release

Cheers,
Thorsten


From: Alan DeKok-2 [via FreeRADIUS] <[hidden email]>
Sent: Thursday, 29 November 2018 15:24
To: Thorsten Fritsch <[hidden email]>
Subject: Re: FreeRadius 3.0.17 - TLS issue

On Nov 29, 2018, at 9:19 AM, Thorsten Fritsch <[hidden email]</user/SendEmail.jtp?type=node&node=5752788&i=0>> wrote:
>
> we're running on Ubuntu 16.04.5 LTS. Sorry about the very verbose debug output. I took it with raddebug and
> didn't know that's very verbose by default. Will take it to heart next time...
>
> Unfortunately freeradius -Xv doesn't show the linked OpenSSL server on our system:
>
> root@its-edurad-qm:~# freeradius -Xv

  This is one of the few cases where more is better.  Use "freeradius -Xxv", and you'll get output like this:

Thu Nov 29 09:22:41 2018 : Info: radiusd: FreeRADIUS Version 3.0.18 (git #f2d93cf), for host i386-apple-darwin17.7.0, built on Oct 27 2018 at 08:53:45
Thu Nov 29 09:22:41 2018 : Debug: Server was built with:
Thu Nov 29 09:22:41 2018 : Debug:   accounting               : yes
...
Thu Nov 29 09:22:41 2018 : Debug:   developer                : yes
Thu Nov 29 09:22:41 2018 : Debug: Server core libs:
Thu Nov 29 09:22:41 2018 : Debug:   freeradius-server        : 3.0.18
Thu Nov 29 09:22:41 2018 : Debug:   talloc                   : 2.1.*
Thu Nov 29 09:22:41 2018 : Debug:   ssl                      : 1.0.2p release
Thu Nov 29 09:22:41 2018 : Debug: Endianness:
Thu Nov 29 09:22:41 2018 : Debug:   little
Thu Nov 29 09:22:41 2018 : Debug: Compilation flags:
...

  Which is very useful.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
________________________________
If you reply to this email, your message will be added to the discussion below:
http://freeradius.1045715.n5.nabble.com/FreeRadius-3-0-17-TLS-issue-tp5752761p5752788.html
To unsubscribe from Users, click here<
NAML<
http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius 3.0.17 - TLS issue

Alan DeKok-2
On Nov 29, 2018, at 9:31 AM, Thorsten Fritsch <[hidden email]> wrote:
>
> thanks. It looks like we're linked to 1.0.2g

  Then it should support TLS 1.2.

  If the Windows 10 boxes don't like it, ask Microsoft for assistance. :(

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: FreeRadius 3.0.17 - TLS issue

robinson
Thanks Alan will pass on the ball to our Windows guys

Thorsten

From: Alan DeKok-2 [via FreeRADIUS] <[hidden email]>
Sent: Thursday, 29 November 2018 15:35
To: Thorsten Fritsch <[hidden email]>
Subject: Re: FreeRadius 3.0.17 - TLS issue

On Nov 29, 2018, at 9:31 AM, Thorsten Fritsch <[hidden email]</user/SendEmail.jtp?type=node&node=5752790&i=0>> wrote:
>
> thanks. It looks like we're linked to 1.0.2g

  Then it should support TLS 1.2.

  If the Windows 10 boxes don't like it, ask Microsoft for assistance. :(

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
________________________________
If you reply to this email, your message will be added to the discussion below:
http://freeradius.1045715.n5.nabble.com/FreeRadius-3-0-17-TLS-issue-tp5752761p5752790.html
To unsubscribe from Users, click here<
NAML<
http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius 3.0.17 - TLS issue

Matthew Newton-3
On Thu, 2018-11-29 at 14:45 +0000, Thorsten Fritsch wrote:
> Thanks Alan will pass on the ball to our Windows guys

Also check you've not changed the default values in mods-enabled/eap to
stop 1.2 working, e.g. cipher_list, disable_tlsv1_2, tls_max_version.

--
Matthew

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html