On 2.3.2021 1.16, Hirayama, Pat wrote:
I did some testing with Trace 4 and I suspect that it is due to protocol differences between OpenSSL on CentOS 6 and Ubuntu 20 that Heikki and others pointed out when I posted last month when I was having issues with LDAP -- mostly because of the "unsupported protocol" that appears in the logfile -- and the fact that the same basic handler configuration works fine on the older OS/Radiator. But it isn't clear to me what specific protocol is being used that is unsupported.
That would be TLS protocol. If you try adding 'TLSv1' to EAPTLS_Protocols, would that help?
For additional backwards compatibility, you can try setting SECLEVEL=0, but I'd first check if the clients simply require TLS 1.0. The web is (mostly) TLSv 1.2 and 1.3, but TLS based EAP methods may still require older TLS versions.
[inner Handler's AuthBy follows]
EAPType MSCHAP-V2,PEAP,TTLS
I'd simply leave MSCHAP-V2 enabled and remove all EAPTLS_* settings from the inner handler's AuthBy.
[remove these]
EAPTLS_PEAPVersion 0 EAPTLS_CertificateType PEM EAPTLS_MaxFragmentSize 1024 EAPTLS_SecurityLevel 1 EAPTLS_Ciphers DEFAULT@SECLEVEL=1 EAPTLS_Protocols TLSv1.1, TLSv1.2 EAPAnonymous %0 SSLeayTrace 4
[all the way to here]
#### Outer Handler ##### # When clients check the 'Validate Server Certificate' (or equivalent), then this stanza plays a key role <Handler>
<AuthBy FILE>
EAPTLS_SecurityLevel 1 EAPTLS_Ciphers DEFAULT@SECLEVEL=1 EAPTLS_Protocols TLSv1.1, TLSv1.2
Try adding TLSv1 to the allowed protocols, as mentioned above. Thanks, Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory, EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc. _______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
