[SOLVED] Cannot authenticate after freeradius update

[batistuta]

After upgrading to 21.1.7 freeradius can't stop giving me headaches. First the eap issue described in https://forum.opnsense.org/index.php?topic=23556.0. But now I am not able to connect my printer via EAP-TLS anymore. The log reads

2021-06-19T12:15:02       Auth: (28) Login incorrect (eap_tls: (TLS) Alert write:fatal:protocol version): [ledPrinter/<via Auth-Type = eap>] (from client Wavelength port 0 cli 0C-96-E6-2B-78-59)   
2021-06-19T12:15:02       ERROR: (28) eap_tls: ERROR: (TLS) Server : Error in error   
2021-06-19T12:15:02       ERROR: (28) eap_tls: ERROR: (TLS) Alert write:fatal:protocol version

which points to some protocol version. I was trying to figure out if the upgrade somehow increased the minimum protocol version, which probably isn't supported by my printer. However, I can't figure out where such an option could be hidden. The file mods-enabled-eap didn't seem to have any option for this.

Downgrading freeradius to 21.1.6 fixed the issue, but it is not a long-term solution. Any help would be greatly appreciated! Thanks.

[mimugmail]

Did you also apply the latest hotfix 21.1.7_1?

[KHE]

Hi,

it is in /usr/local/etc/raddb/mods-enabled/eap. It is not there by default. But maybe the ecdh_curve or the cipher_list changed.

KH

[batistuta]

Did you also apply the latest hotfix 21.1.7_1?

I didn't apply any hotfix explicitly, but I did update the system to the latest state, until opnsense reports that no updates are available. At the same time, I do not think this issue is a bug requiring a hotfix. My guess is that developers probably decided to disable a low protocol version due to security issues or something along those lines. I am just looking for a way to whitelist.

[batistuta]

it is in /usr/local/etc/raddb/mods-enabled/eap. It is not there by default. But maybe the ecdh_curve or the cipher_list changed.

Thanks for the hint. But could you please point me to the documentation or a way to find out the options? The documentation https://networkradius.com/doc/3.0.10/raddb/mods-available/eap.html doesn't seem to mention any way to increase the minimum protocol version. I have looked at the cipher list option, but I cannot figure out what this means or how it can help me. Thanks.

[KHE]

Hi,

ist is tls_min_version and tls_max_version. Valid values are: 1.0, 1.1, 1.2 and 1.3. Main documentation seems to be: https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/mods-available/eap.

What is the setting of the cipher_list and the ecdh_curve?

KH

PS: I will later have a look at the logs of my tests trying to find a working and secure setting.

[batistuta]

it is tls_min_version and tls_max_version. Valid values are: 1.0, 1.1, 1.2 and 1.3.

Thanks a lot for this information. This fixed it! I added "tls_min_version = 1.0" below the "disable_tlsv1_2" option, restarted freeradius, and everything worked like before.

What is the setting of the cipher_list and the ecdh_curve?

I had the default values untouched as ecdh_curve = "prime256v1" and cipher_list = "DEFAULT"
The tls_min_version did the trick. It looks like freeradius increased the default min version to 1.2, and this broke my setup. Unfortunately, I cannot influence my printer's firmware. Despite being updated a few days ago, it seems to be stucked in 1.0. But I am happy with this workaround.

Thanks a lot KHE for your help.

[KHE]

Hi,

The tls_min_version did the trick. It looks like freeradius increased the default min version to 1.2, and this broke my setup. Unfortunately, I cannot influence my printer's firmware. Despite being updated a few days ago, it seems to be stucked in 1.0. But I am happy with this workaround.

just to document additional devcies which only support TLS version 1.0 are Kindle Paperwhite (7th Generation) and older with firmware 5.12.2.1.1 or lower. I do not know if the newer devices with firmware 5.13.6 support this.

Thanks a lot KHE for your help.

You are welcome.

KH