I am changing out my radius servers and the certificates that I use during radius authentication. I want to use a current version of CentOS (RockyLinux 9) and my certificates expired a year ago.
Setup (RPMs come from RockyLinux):
FreeRadius 3.0.21-26
openssl-3.0.1-43
I have generated new certificates (the old certificates were not compatible with how openSSL is compiled on Rocky). There is no complaining by FreeRadius on my configurations which I verified against my old server, documentation on Cambium’s site, and my notes from over 10 years ago. I have tried eapsttls and eapspeap and will include the log segment from both which is nearly identical. For some reason there is a TLS 1.3 handshake happening and I am at a loss for the reason. I understand that FreeRadius supports only up to TLS 1.2. I have deleted my configuration and started over, generated new certs, etc. I am at a loss as to what is wrong.
TTLS eapttls
(1) eap: Expiring EAP session with state 0xdaa83f01daaa2a05
(1) eap: Finished EAP session with state 0xdaa83f01daaa2a05
(1) eap: Previous EAP request found for state 0xdaa83f01daaa2a05, released from the list
(1) eap: Peer sent packet with method EAP TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Authenticate
(1) eap_ttls: (TLS) EAP Peer says that the final record size will be 58 bytes
(1) eap_ttls: (TLS) EAP Got all data (58 bytes)
(1) eap_ttls: (TLS) Handshake state - before SSL initialization
(1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(1) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello
(1) eap_ttls: (TLS) send TLS 1.0 Alert, fatal protocol_version
(1) eap_ttls: ERROR: (TLS) Alert write:fatal:protocol version
(1) eap_ttls: ERROR: (TLS) Server : Error in error
(1) eap_ttls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000102:SSL routines::unsupported protocol
(1) eap_ttls: ERROR: (TLS) System call (I/O) error (-1)
(1) eap_ttls: ERROR: (TLS) EAP Receive handshake failed during operation
(1) eap_ttls: ERROR: [eaptls process] = fail
(1) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
(1) eap: Sending EAP Failure (code 4) ID 2 length 4
(1) eap: Failed in EAP select
(1) [eap] = invalid
(1) } # authenticate = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
TTLS eappeap
(2) eap: Expiring EAP session with state 0xa19e2913a09d3085
(2) eap: Finished EAP session with state 0xa19e2913a09d3085
(2) eap: Previous EAP request found for state 0xa19e2913a09d3085, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: (TLS) EAP Peer says that the final record size will be 58 bytes
(2) eap_peap: (TLS) EAP Got all data (58 bytes)
(2) eap_peap: (TLS) Handshake state - before SSL initialization
(2) eap_peap: (TLS) Handshake state - Server before SSL initialization
(2) eap_peap: (TLS) Handshake state - Server before SSL initialization
(2) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello
(2) eap_peap: (TLS) send TLS 1.0 Alert, fatal protocol_version
(2) eap_peap: ERROR: (TLS) Alert write:fatal:protocol version
(2) eap_peap: ERROR: (TLS) Server : Error in error
(2) eap_peap: ERROR: (TLS) Failed reading from OpenSSL: error:0A000102:SSL routines::unsupported protocol
(2) eap_peap: ERROR: (TLS) System call (I/O) error (-1)
(2) eap_peap: ERROR: (TLS) EAP Receive handshake failed during operation
(2) eap_peap: ERROR: [eaptls process] = fail
(2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(2) eap: Sending EAP Failure (code 4) ID 3 length 4
(2) eap: Failed in EAP select
(2) [eap] = invalid
(2) } # authenticate = invalid
(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject
On my old server this is what I get and expect…
(28) eap: Expiring EAP session with state 0xae1594b9abad81a1
(28) eap: Finished EAP session with state 0xae1594b9abad81a1
(28) eap: Previous EAP request found for state 0xae1594b9abad81a1, released from the list
(28) eap: Peer sent packet with method EAP TTLS (21)
(28) eap: Calling submodule eap_ttls to process data
(28) eap_ttls: Authenticate
(28) eap_ttls: Continuing EAP-TLS
(28) eap_ttls: Peer ACKed our handshake fragment. handshake is finished
(28) eap_ttls: [eaptls verify] = success
(28) eap_ttls: [eaptls process] = success
Hmm not sure why it would still push through TLS 1.3 if the ciphers are now limited to 1.2 on the server side. Might want to contact the user mailing list (or browse the archives).
Yes. Rocky Linux 9 and Ubuntu 22.04 both will not read the newest certificates that I believe have a 50 year window. That was a test I used to see if I built my certs incorrectly. I believe it has to do with tighter security compiled into OpenSSL since those certs were compiled.
Has there been any update on this issue.
I have a new Ubuntu install and am getting the same issue with the Cambium Certs that are downloaded from the support site.
tls: (TLS) Failed reading certificate file “/etc/raddb/certs/aaasvr_cert.pem”: error:0A00018F:SSL
Is it possible to get a new set of AAA certs generated with 2048 RSA?
Thanks
There has been no update. I have not pursued it further as I am in the middle of a couple other projects at this moment and the 450 and ePMP line accepts expired certificates. I am almost certain that it is because of security levels with OpenSSL. I will open another ticket probably next month when I have time and escalate it through a couple of their Sales engineers that I know. Let me know if you get through it before I get a chance.