Freeradius 3.0.12 EAP TLS Problem

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Freeradius 3.0.12 EAP TLS Problem

Seniha S. ÖZTEMİZ TULGAR
Hello,

When I run the freeradius I get the foloowing debug log:

(1) eap_ttls: WARNING: Total received TLS record fragments (50 bytes), does
not equal indicated TLS record length (0 bytes)
(1) eap_ttls: [eaptls verify] = ok
(1) eap_ttls: Done initial handshake
(1) eap_ttls: (other): before SSL initialization
(1) eap_ttls: TLS_accept: before SSL initialization
(1) eap_ttls: TLS_accept: before SSL initialization
(1) eap_ttls: <<< recv TLS 1.2  [length 002d]
(1) eap_ttls: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure
(1) eap_ttls: ERROR: TLS Alert write:fatal:handshake failure
tls: TLS_accept: Error in error
(1) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417A0C1:SSL
routines:tls_post_process_client_hello:no shared cipher
(1) eap_ttls: ERROR: System call (I/O) error (-1)
(1) eap_ttls: ERROR: TLS receive handshake failed during operation
(1) eap_ttls: ERROR: [eaptls process] = fail
(1) eap: ERROR: Failed continuing EAP TTLS (21) session.  EAP sub-module
failed

Have you encountered this problem? How did you solve it? What can I do?

--
Regards

Seniha
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Freeradius 3.0.12 EAP TLS Problem

Stefan Winter-4
Hi,

> (1) eap_ttls: <<< recv TLS 1.2  [length 002d]
> (1) eap_ttls: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure
> (1) eap_ttls: ERROR: TLS Alert write:fatal:handshake failure
> tls: TLS_accept: Error in error
> (1) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417A0C1:SSL
> routines:tls_post_process_client_hello:no shared cipher

"No shared cipher" is pretty definitive: server and client have no
encrpytion cipher in common, so they can't continue the conversation.

It looks like the client tries - and insists - on TLS 1.2 (with its
recent ciphers) while the server only offers 1.0 (with its... still
somewhat contemporary ciphers).

If my reading above is correct, you'd have to upgrade the server to a
version that support TLS 1.2 (or just turn it on if you do have a
capable version but turned it off deliberately).

Greetings,

Stefan Winter


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Freeradius 3.0.12 EAP TLS Problem

Seniha S. ÖZTEMİZ TULGAR
In reply to this post by Seniha S. ÖZTEMİZ TULGAR
Hello,

My windows 10 clients does not get the "no shared cipher" error but Win7
clients gets this error. "Fri Jul 28 12:16:39 2017 : ERROR: (4)

eap_ttls: Failed in __FUNCTION__ (SSL_read):
../ssl/statem/statem_srvr.c[1404]:error:1417A0C1:SSL
routines:tls_post_process_client_hello:no shared cipher"

I updated the win7 clients ciphers. Still get the above message.

Please advise.

Kind regards,



On Thu, Jul 6, 2017 at 11:43 AM, Seniha S. ÖZTEMİZ TULGAR <
[hidden email]> wrote:

> Hello,
>
> When I run the freeradius I get the foloowing debug log:
>
> (1) eap_ttls: WARNING: Total received TLS record fragments (50 bytes),
> does not equal indicated TLS record length (0 bytes)
> (1) eap_ttls: [eaptls verify] = ok
> (1) eap_ttls: Done initial handshake
> (1) eap_ttls: (other): before SSL initialization
> (1) eap_ttls: TLS_accept: before SSL initialization
> (1) eap_ttls: TLS_accept: before SSL initialization
> (1) eap_ttls: <<< recv TLS 1.2  [length 002d]
> (1) eap_ttls: >>> send TLS 1.0 Alert [length 0002], fatal
> handshake_failure
> (1) eap_ttls: ERROR: TLS Alert write:fatal:handshake failure
> tls: TLS_accept: Error in error
> (1) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417A0C1:SSL
> routines:tls_post_process_client_hello:no shared cipher
> (1) eap_ttls: ERROR: System call (I/O) error (-1)
> (1) eap_ttls: ERROR: TLS receive handshake failed during operation
> (1) eap_ttls: ERROR: [eaptls process] = fail
> (1) eap: ERROR: Failed continuing EAP TTLS (21) session.  EAP sub-module
> failed
>
> Have you encountered this problem? How did you solve it? What can I do?
>
> --
> Regards
>
> Seniha
>
>


--
Selam ve sevgiler,

Seniha.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Freeradius 3.0.12 EAP TLS Problem

Alan DeKok-2
On Jul 28, 2017, at 5:22 AM, Seniha S. ÖZTEMİZ TULGAR <[hidden email]> wrote:
> My windows 10 clients does not get the "no shared cipher" error but Win7
> clients gets this error. "Fri Jul 28 12:16:39 2017 : ERROR: (4)
>
> eap_ttls: Failed in __FUNCTION__ (SSL_read):
> ../ssl/statem/statem_srvr.c[1404]:error:1417A0C1:SSL
> routines:tls_post_process_client_hello:no shared cipher"
>
> I updated the win7 clients ciphers. Still get the above message.

  You need to configure the systems to have a shared SSL cipher.

  The default configuration on FreeRADIUS works.  Did you change anything in it?

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Freeradius 3.0.12 EAP TLS Problem

Seniha S. ÖZTEMİZ TULGAR
Hello,

I created new certificates with files under freeradius/3.0/certs and
changed paths of certificates to /etc/freeradius/3.0/certs in eap and
inner-eap files.

but even with the default configuration (certificate paths pointing to
/etc/ssl), I get the same error message. (no shared cipher)

I changed cipher list (ALL:COMPLEMENTOFALL,etc.) in the aforementioned
files; the same error.

Any debug suggestions, please ; I am stuck.

Thank you in advance,

Kind regards,


On Fri, Jul 28, 2017 at 3:26 PM, Alan DeKok <[hidden email]>
wrote:

> On Jul 28, 2017, at 5:22 AM, Seniha S. ÖZTEMİZ TULGAR <
> [hidden email]> wrote:
> > My windows 10 clients does not get the "no shared cipher" error but Win7
> > clients gets this error. "Fri Jul 28 12:16:39 2017 : ERROR: (4)
> >
> > eap_ttls: Failed in __FUNCTION__ (SSL_read):
> > ../ssl/statem/statem_srvr.c[1404]:error:1417A0C1:SSL
> > routines:tls_post_process_client_hello:no shared cipher"
> >
> > I updated the win7 clients ciphers. Still get the above message.
>
>   You need to configure the systems to have a shared SSL cipher.
>
>   The default configuration on FreeRADIUS works.  Did you change anything
> in it?
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Freeradius 3.0.12 EAP TLS Problem

Alan DeKok-2
On Jul 28, 2017, at 10:18 AM, Seniha S. ÖZTEMİZ TULGAR <[hidden email]> wrote:

> I created new certificates with files under freeradius/3.0/certs and
> changed paths of certificates to /etc/freeradius/3.0/certs in eap and
> inner-eap files.
>
> but even with the default configuration (certificate paths pointing to
> /etc/ssl), I get the same error message. (no shared cipher)
>
> I changed cipher list (ALL:COMPLEMENTOFALL,etc.) in the aforementioned
> files; the same error.
>
> Any debug suggestions, please ; I am stuck.

  We didn't write Windows, and we know nothing about it.  So that makes it difficult for us to know what's going on there.

  FreeRADIUS works with everything that we're aware of.

  I suspect something else is wrong.  i.e. Windows is lying about the error message.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

FreeRadius 3 - Help with Logs.

Aurélio de Souza Ribeiro Neto
In reply to this post by Seniha S. ÖZTEMİZ TULGAR
Hello All,

     I Upgraded my FreeRadius from 2.2.9 to 3.3.0.15 and is working
fine, except my Logs:

     In 2.2.9 I have a log file like this example:

Fri Jul 28 11:42:40 2017 : Info: Released IP 187.120.203.145 (did CE -
POP SM8 cli E8:DE:27:F0:0F:C2 user osvaldoreis)
Fri Jul 28 11:43:15 2017 : Auth: Login OK: [osvaldoreis] (from client
ce-popsm-rb port 15781127 cli E8:DE:27:F0:0F:C2)
Fri Jul 28 11:43:15 2017 : Info: Allocated IP: 187.120.203.153 from
main_pool   (did CE - POP SM8 cli E8:DE:27:F0:0F:C2 port 15781127 user
osvaldoreis)

     In 3.3.0.15 like this:

Fri Jul 28 11:52:52 2017 : Info: Need 2 more connections to reach min
connections (15)
Fri Jul 28 11:52:52 2017 : Info: rlm_sql (sql): Opening additional
connection (13), 1 of 51 pending slots used
Fri Jul 28 11:52:52 2017 : Auth: (7) Login OK: [testepppoe2] (from
client ce-teste-rb port 15728797 cli F8:1A:67:58:42:E8)

     How can I have Released IP and Allocate IP back and Suppress Info:
rlm_sql?

     Thanks

Aurélio



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeRadius 3 - Help with Logs.

Alan DeKok-2
On Jul 28, 2017, at 11:09 AM, Aurélio de Souza Ribeiro Neto <[hidden email]> wrote:

>    I Upgraded my FreeRadius from 2.2.9 to 3.3.0.15 and is working fine, except my Logs:
>
>    In 2.2.9 I have a log file like this example:
>
> Fri Jul 28 11:42:40 2017 : Info: Released IP 187.120.203.145 (did CE - POP SM8 cli E8:DE:27:F0:0F:C2 user osvaldoreis)
> Fri Jul 28 11:43:15 2017 : Auth: Login OK: [osvaldoreis] (from client ce-popsm-rb port 15781127 cli E8:DE:27:F0:0F:C2)
> Fri Jul 28 11:43:15 2017 : Info: Allocated IP: 187.120.203.153 from main_pool   (did CE - POP SM8 cli E8:DE:27:F0:0F:C2 port 15781127 user osvaldoreis)
>
>    In 3.3.0.15 like this:
>
> Fri Jul 28 11:52:52 2017 : Info: Need 2 more connections to reach min connections (15)
> Fri Jul 28 11:52:52 2017 : Info: rlm_sql (sql): Opening additional connection (13), 1 of 51 pending slots used
> Fri Jul 28 11:52:52 2017 : Auth: (7) Login OK: [testepppoe2] (from client ce-teste-rb port 15728797 cli F8:1A:67:58:42:E8)
>
>    How can I have Released IP and Allocate IP back and Suppress Info: rlm_sql?

  Edit the source.  Or, use the linelog module to log those IP addresses.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeRadius 3 - Help with Logs.

Aurélio de Souza Ribeiro Neto
Alan,

     Thanks again!! I didn't saw this info at end of sqlippool , sorry!

     About rlm_sql, how can I suppress?

Thanks

Aurelio

Em 28/07/2017 12:54, Alan DeKok escreveu:

> On Jul 28, 2017, at 11:09 AM, Aurélio de Souza Ribeiro Neto <[hidden email]> wrote:
>>     I Upgraded my FreeRadius from 2.2.9 to 3.3.0.15 and is working fine, except my Logs:
>>
>>     In 2.2.9 I have a log file like this example:
>>
>> Fri Jul 28 11:42:40 2017 : Info: Released IP 187.120.203.145 (did CE - POP SM8 cli E8:DE:27:F0:0F:C2 user osvaldoreis)
>> Fri Jul 28 11:43:15 2017 : Auth: Login OK: [osvaldoreis] (from client ce-popsm-rb port 15781127 cli E8:DE:27:F0:0F:C2)
>> Fri Jul 28 11:43:15 2017 : Info: Allocated IP: 187.120.203.153 from main_pool   (did CE - POP SM8 cli E8:DE:27:F0:0F:C2 port 15781127 user osvaldoreis)
>>
>>     In 3.3.0.15 like this:
>>
>> Fri Jul 28 11:52:52 2017 : Info: Need 2 more connections to reach min connections (15)
>> Fri Jul 28 11:52:52 2017 : Info: rlm_sql (sql): Opening additional connection (13), 1 of 51 pending slots used
>> Fri Jul 28 11:52:52 2017 : Auth: (7) Login OK: [testepppoe2] (from client ce-teste-rb port 15728797 cli F8:1A:67:58:42:E8)
>>
>>     How can I have Released IP and Allocate IP back and Suppress Info: rlm_sql?
>    Edit the source.  Or, use the linelog module to log those IP addresses.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeRadius 3 - Help with Logs.

Alan DeKok-2
On Jul 28, 2017, at 1:59 PM, Aurélio de Souza Ribeiro Neto <[hidden email]> wrote:
>
>
>    Thanks again!! I didn't saw this info at end of sqlippool , sorry!
>
>    About rlm_sql, how can I suppress?

  For now, you can't.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

FreeRadius 3 - FROM_UNIXTIME

Aurélio de Souza Ribeiro Neto
In reply to this post by Aurélio de Souza Ribeiro Neto
Hello,

     I found a problem and I need help.

     The original queries in
raddb/mods-config/sql/main/mysql/queries.conf using FROM_UNIXTIME are
inserting/updating the radacct register with month-1. For example: today
is 2017-07-29 and I have 2017-06-29.

     For now I changed FROM_UNIXTIME to NOW() but I don't want to keep.

     Any suggestion?


Aurélio



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeRadius 3 - FROM_UNIXTIME

Alan DeKok-2
On Jul 29, 2017, at 9:06 AM, Aurélio de Souza Ribeiro Neto <[hidden email]> wrote:
>    The original queries in raddb/mods-config/sql/main/mysql/queries.conf using FROM_UNIXTIME are inserting/updating the radacct register with month-1. For example: today is 2017-07-29 and I have 2017-06-29.

  The FROM_UNIXTIME function takes a Unix time and converts it to a time that SQL can understand.  So if the output time is wrong, then the input time is wrong.

  So... where does that input time come from?

  If that time comes from Event-Timestamp, it's sent by the NAS.  Fix the time on the NAS so it's right.

  If that time comes from %l, it's time on the server.  Fix the time on the server so it's right.

  FreeRADIUS doesn't magically invent time.  It gets times from somewhere else.  So find out why those times are wrong.  No amount of poking FreeRADIUS will fix the broken time on your NAS.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeRadius 3 - FROM_UNIXTIME

Aurélio de Souza Ribeiro Neto
Dear Alan,

     Thanks again!!! You, and Freeradius, are always RIGHT!!!!

     My Nas in wrong date!! So Sorry! :(

Aurelio


Em 29/07/2017 10:17, Alan DeKok escreveu:

> On Jul 29, 2017, at 9:06 AM, Aurélio de Souza Ribeiro Neto <[hidden email]> wrote:
>>     The original queries in raddb/mods-config/sql/main/mysql/queries.conf using FROM_UNIXTIME are inserting/updating the radacct register with month-1. For example: today is 2017-07-29 and I have 2017-06-29.
>    The FROM_UNIXTIME function takes a Unix time and converts it to a time that SQL can understand.  So if the output time is wrong, then the input time is wrong.
>
>    So... where does that input time come from?
>
>    If that time comes from Event-Timestamp, it's sent by the NAS.  Fix the time on the NAS so it's right.
>
>    If that time comes from %l, it's time on the server.  Fix the time on the server so it's right.
>
>    FreeRADIUS doesn't magically invent time.  It gets times from somewhere else.  So find out why those times are wrong.  No amount of poking FreeRADIUS will fix the broken time on your NAS.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Linelog - References

Aurélio de Souza Ribeiro Neto
   Hello,

       What's the references to use in linelog for session and authorize
   to use in linelog?
        I want to reproduce 2.2.9 log messages in Freeradius 3.
   Thanks
   Aurelio
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Linelog - References

Matthew Newton-3
On 30 July 2017 14:26:57 BST, "Aurélio de Souza Ribeiro Neto" <[hidden email]> wrote:
>      What's the references to use in linelog for session and authorize
>   to use in linelog?

It's not really clear to me what you're asking.

You can put any attributes or expansion variables in the linelog output, so just look at what's in the packet and log what you need.


--
Matthew

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Linelog - References

Aurélio de Souza Ribeiro Neto
Hello Matthew,

     For Accounting i use    reference =
"Accounting-Request.%{%{Acct-Status-Type}:-unknown}".

     What I need to use for session and authorize?

     Thanks

Aurelio


Em 30/07/2017 10:40, Matthew Newton escreveu:
> On 30 July 2017 14:26:57 BST, "Aurélio de Souza Ribeiro Neto" <[hidden email]> wrote:
>>       What's the references to use in linelog for session and authorize
>>    to use in linelog?
> It's not really clear to me what you're asking.
>
> You can put any attributes or expansion variables in the linelog output, so just look at what's in the packet and log what you need.
>
>



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Linelog - References

Alan DeKok-2
On Jul 30, 2017, at 9:51 AM, Aurélio de Souza Ribeiro Neto <[hidden email]> wrote:
>    For Accounting i use    reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}".
>
>    What I need to use for session and authorize?

  You need to read the documentation for the linelog module.  Not because it answer this questions.  But because it explains what the linelog module does.

  Right now, it's clear you don't know what the linelog module does.  You don't know *why* there's a "reference" line.

  Perhaps you could explain what information are you trying to log?

  Right now, all we know is that you're asking us what you need to configure, but we don't know what you're trying to do.

  Please explain what you're trying to do.

  i.e. it's like you're on vacation, and asking us which train you should take.  Well, we don't know.  The answer depends on where you're going.  Since you're not telling us where you're going, we can't answer your question.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Linelog - References

Aurélio de Souza Ribeiro Neto
Alan,

     Thanks for your hints.

     I was able to sort out a part of what I wanted.

     My wish now is to log the connection errors, for example for
multiple connections.

     Studying I saw that I have to deal in the post-auth% {control:
Module-Failure-Message}.

     How do I set the reference to know which messages I get?

     I want to create a linelog like: Multiple logins (max 1):
[testepppoe2] (from client ce-test-rb port 15728677 cli C4: E9: 84: D4:
EF: 8A)

     Sorry to bother you

Aurelio

Em 30/07/2017 11:00, Alan DeKok escreveu:

> On Jul 30, 2017, at 9:51 AM, Aurélio de Souza Ribeiro Neto <[hidden email]> wrote:
>>     For Accounting i use    reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}".
>>
>>     What I need to use for session and authorize?
>    You need to read the documentation for the linelog module.  Not because it answer this questions.  But because it explains what the linelog module does.
>
>    Right now, it's clear you don't know what the linelog module does.  You don't know *why* there's a "reference" line.
>
>    Perhaps you could explain what information are you trying to log?
>
>    Right now, all we know is that you're asking us what you need to configure, but we don't know what you're trying to do.
>
>    Please explain what you're trying to do.
>
>    i.e. it's like you're on vacation, and asking us which train you should take.  Well, we don't know.  The answer depends on where you're going.  Since you're not telling us where you're going, we can't answer your question.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Linelog - References

Alan DeKok-2
On Jul 31, 2017, at 9:42 AM, Aurélio de Souza Ribeiro Neto <[hidden email]> wrote:
>    I was able to sort out a part of what I wanted.
>
>    My wish now is to log the connection errors, for example for multiple connections.

  Linelog logs information for a request.

>    Studying I saw that I have to deal in the post-auth% {control: Module-Failure-Message}.
>
>    How do I set the reference to know which messages I get?
>
>    I want to create a linelog like: Multiple logins (max 1): [testepppoe2] (from client ce-test-rb port 15728677 cli C4: E9: 84: D4: EF: 8A)

  Find out where that information is, and configure linelog to create it.  Read the debug output.

  Honestly, all of the information you need to solve the problem is in front of you.  I'm not going to do your work for you.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...