Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - nm0ct

#1
Turns out I forgot to set the Elliptic Curve to secp384r1, which is needed to be fully compliant with WAP3 192 bit mode.
My 24H2 devices can authenticate after that change.
#2
Thank you, from the logs it seems like 24H2 refuses to use TLS 1.2 during handshake process and maybe openssl or Freeradius doesn't support TLS 1.3 ciphers?

Below is the error for my W11 24H2 device
(1) eap: Peer sent packet with method EAP TLS (13)
(1) eap: Calling submodule eap_tls to process data
(1) eap_tls: (TLS) EAP Peer says that the final record size will be 282 bytes
(1) eap_tls: (TLS) EAP Got all data (282 bytes)
(1) eap_tls: (TLS) TLS - Handshake state - before SSL initialization
(1) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization
(1) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization
(1) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello
(1) eap_tls: (TLS) TLS - send TLS 1.2 Alert, fatal handshake_failure
(1) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:handshake failure
(1) eap_tls: ERROR: (TLS) TLS - Server : Error in error
(1) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A0000C1:SSL routines::no shared cipher
(1) eap_tls: ERROR: (TLS) System call (I/O) error (-1)
(1) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation
(1) eap_tls: ERROR: [eaptls process] = fail
(1) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed
(1) eap: Sending EAP Failure (code 4) ID 116 length 4
(1) eap: Failed in EAP select

Same device  after I changed tls_max_version = "1.3"
(1) eap_tls: (TLS) EAP Peer says that the final record size will be 282 bytes
(1) eap_tls: (TLS) EAP Got all data (282 bytes)
(1) eap_tls: (TLS) TLS - Handshake state - before SSL initialization
(1) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization
(1) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization
(1) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello
(1) eap_tls: (TLS) TLS - send TLS 1.3 Alert, fatal handshake_failure
(1) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:handshake failure
(1) eap_tls: ERROR: (TLS) TLS - Server : Error in error
(1) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000065:SSL routines::no suitable key share
(1) eap_tls: ERROR: (TLS) System call (I/O) error (-1)
(1) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation
(1) eap_tls: ERROR: [eaptls process] = fail
(1) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed
(1) eap: Sending EAP Failure (code 4) ID 89 length 4
(1) eap: Failed in EAP select


23H2 device which was able to negotiate to use ECDHE-RSA-AES256-GCM-SHA384
(15) eap: Calling submodule eap_tls to process data
(15) eap_tls: (TLS) EAP Peer says that the final record size will be 223 bytes
(15) eap_tls: (TLS) EAP Got all data (223 bytes)
(15) eap_tls: (TLS) TLS - Handshake state - before SSL initialization
(15) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization
(15) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization
(15) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello
(15) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client hello
(15) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, ServerHello
(15) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server hello
(15) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, Certificate
(15) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write certificate
(15) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange
(15) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write key exchange
(15) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, CertificateRequest
(15) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write certificate request
(15) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone
(15) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server done
(15) eap_tls: (TLS) TLS - Server : Need to read more data: SSLv3/TLS write server done
(15) eap_tls: (TLS) TLS - In Handshake Phase
...
(23) Restoring &session-state
(23)   &session-state:Framed-MTU = 994
(23)   &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello"
(23)   &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHello"
(23)   &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, Certificate"
(23)   &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange"
(23)   &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, CertificateRequest"
(23)   &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone"
(23)   &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake, Certificate"
(23)   &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake, ClientKeyExchange"
(23)   &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake, CertificateVerify"
(23)   &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake, Finished"
(23)   &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 ChangeCipherSpec"
(23)   &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, Finished"
(23)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(23)   &session-state:TLS-Session-Version = "TLS 1.2"

Is there any other settings I could change for Freeradius to try get this to work?
#3
Hello,

I'm wondering where I can get more debug output from the Freeradius plugin, at the moment I am only getting the following output with when trying to authenticate with EAP-TLS.

eap_tls: ERROR: (TLS) TLS - Alert write:fatal:handshake failure
eap_tls: ERROR: (TLS) TLS - Server : Error in error
Login incorrect (eap_tls: (TLS) TLS - Alert write:fatal:handshake failure): [radiusdebug/<via Auth-Type = eap>] (from client u6mesh port 3)

This error only comes up with Windows 11 24H2 clients connecting to WPA3 192bit WiFi. I didn't have this problem with 23H2 or prior & no other operating systems have this issue.