Text only | Text with Images

OPNsense Forum

Archive => 21.1 Legacy Series => Topic started by: batistuta on June 19, 2021, 06:56:32 AM

Title: [SOLVED] Cannot authenticate after freeradius update
Post by: batistuta on June 19, 2021, 06:56:32 AM
After upgrading to 21.1.7 freeradius can't stop giving me headaches. First the eap issue described in https://forum.opnsense.org/index.php?topic=23556.0 (https://forum.opnsense.org/index.php?topic=23556.0). But now I am not able to connect my printer via EAP-TLS anymore. The log reads

Quote2021-06-19T12:15:02       Auth: (28) Login incorrect (eap_tls: (TLS) Alert write:fatal:protocol version): [ledPrinter/<via Auth-Type = eap>] (from client Wavelength port 0 cli 0C-96-E6-2B-78-59)   
2021-06-19T12:15:02       ERROR: (28) eap_tls: ERROR: (TLS) Server : Error in error   
2021-06-19T12:15:02       ERROR: (28) eap_tls: ERROR: (TLS) Alert write:fatal:protocol version

which points to some protocol version. I was trying to figure out if the upgrade somehow increased the minimum protocol version, which probably isn't supported by my printer. However, I can't figure out where such an option could be hidden. The file mods-enabled-eap didn't seem to have any option for this.

Downgrading freeradius to 21.1.6 fixed the issue, but it is not a long-term solution. Any help would be greatly appreciated! Thanks.

Title: Re: Cannot authenticate after freeradius update
Post by: mimugmail on June 19, 2021, 08:08:28 AM
Did you also apply the latest hotfix 21.1.7_1?
Title: Re: Cannot authenticate after freeradius update
Post by: KHE on June 19, 2021, 09:44:39 AM
Hi,

it is in /usr/local/etc/raddb/mods-enabled/eap. It is not there by default. But maybe the ecdh_curve or the cipher_list changed.

KH
Title: Re: Cannot authenticate after freeradius update
Post by: batistuta on June 19, 2021, 04:41:06 PM
Quote from: mimugmail on June 19, 2021, 08:08:28 AM
Did you also apply the latest hotfix 21.1.7_1?
I didn't apply any hotfix explicitly, but I did update the system to the latest state, until opnsense reports that no updates are available. At the same time, I do not think this issue is a bug requiring a hotfix. My guess is that developers probably decided to disable a low protocol version due to security issues or something along those lines. I am just looking for a way to whitelist.
Title: Re: Cannot authenticate after freeradius update
Post by: batistuta on June 19, 2021, 04:48:18 PM
Quote from: KHE on June 19, 2021, 09:44:39 AM
it is in /usr/local/etc/raddb/mods-enabled/eap. It is not there by default. But maybe the ecdh_curve or the cipher_list changed.
Thanks for the hint. But could you please point me to the documentation or a way to find out the options? The documentation https://networkradius.com/doc/3.0.10/raddb/mods-available/eap.html (https://networkradius.com/doc/3.0.10/raddb/mods-available/eap.html) doesn't seem to mention any way to increase the minimum protocol version. I have looked at the cipher list option, but I cannot figure out what this means or how it can help me. Thanks.
Title: Re: Cannot authenticate after freeradius update
Post by: KHE on June 20, 2021, 10:22:17 AM
Hi,

ist is tls_min_version and tls_max_version. Valid values are: 1.0, 1.1, 1.2 and 1.3. Main documentation seems to be:  https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/mods-available/eap (https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/mods-available/eap).

What is the setting of the cipher_list and the ecdh_curve?

KH

PS: I will later have a look at the logs of my tests trying to find a working and secure setting.
Title: Re: Cannot authenticate after freeradius update
Post by: batistuta on June 21, 2021, 04:12:23 PM
Quote from: KHE on June 20, 2021, 10:22:17 AM
it is tls_min_version and tls_max_version. Valid values are: 1.0, 1.1, 1.2 and 1.3.
Thanks a lot for this information. This fixed it! I added "tls_min_version = 1.0" below the "disable_tlsv1_2" option, restarted freeradius, and everything worked like before.

QuoteWhat is the setting of the cipher_list and the ecdh_curve?
I had the default values untouched as ecdh_curve = "prime256v1" and cipher_list = "DEFAULT"
The tls_min_version did the trick. It looks like freeradius increased the default min version to 1.2, and this broke my setup. Unfortunately, I cannot influence my printer's firmware. Despite being updated a few days ago, it seems to be stucked in 1.0. But I am happy with this workaround.

Thanks a lot KHE for your help.
Title: Re: Cannot authenticate after freeradius update
Post by: KHE on June 21, 2021, 06:24:05 PM
Hi,


Quote from: batistuta on June 21, 2021, 04:12:23 PM
The tls_min_version did the trick. It looks like freeradius increased the default min version to 1.2, and this broke my setup. Unfortunately, I cannot influence my printer's firmware. Despite being updated a few days ago, it seems to be stucked in 1.0. But I am happy with this workaround.

just to document additional devcies which only support TLS version 1.0 are Kindle Paperwhite (7th Generation) and older with firmware 5.12.2.1.1 or lower. I do not know if the newer devices with firmware 5.13.6 support this.

Quote
Thanks a lot KHE for your help.
You are welcome.

KH
Text only | Text with Images