Join Log in
Score:1
Václav avatar Server

FreeRADIUS keeps complaining about TLS 1.0/1.1, despite tls_min_version setting has been set to 1.2

cn flag
Václav

I'm implementing EAP-TTLS with FreeRADIUS 3.0.21. Devices are able to connect, server is running. However, FreeRADIUS complains about TLS 1.0/1.1 are still available in its starting log messages. Here's the output of systemctl status freeradius command:

● freeradius.service - FreeRADIUS multi-protocol policy server
     Loaded: loaded (/lib/systemd/system/freeradius.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2023-03-09 17:22:55 UTC; 2h 33min ago
       Docs: man:radiusd(8)
             man:radiusd.conf(5)
             http://wiki.freeradius.org/
             http://networkradius.com/doc/
    Process: 783 ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cx -lstdout (code=exited, status=0/SUCCESS)
   Main PID: 786 (freeradius)
     Status: "Processing requests"
      Tasks: 6 (limit: 2101)
     Memory: 81.7M (limit: 2.0G)
        CPU: 1.621s
     CGroup: /system.slice/freeradius.service
             └─786 /usr/sbin/freeradius -f

Mar 09 17:22:54 rpi4-20230308 freeradius[783]: rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: rlm_sql (sql): Attempting to connect to database "radius"
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: rlm_sql (sql): Initialising connection pool
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: Ignoring "ldap" (see raddb/mods-available/README.rst)
Mar 09 17:22:54 rpi4-20230308 freeradius[783]:  # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:336
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: radiusd: #### Skipping IP addresses and Ports ####
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: The configuration allows TLS 1.0 and/or TLS 1.1.  We STRONGLY recommned using only TLS 1.2 for security
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: Please set: tls_min_version = "1.2"
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: Configuration appears to be OK
Mar 09 17:22:55 rpi4-20230308 systemd[1]: Started FreeRADIUS multi-protocol policy server.

FreeRADIUS complains, despite the fact that I have set the recommended option tls_min_version = "1.2" in mods-available/eap file. Here's the file:


eap {
    default_eap_type = ttls
    timer_expire = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
    max_sessions = ${max_requests}
    md5 {
    }
    leap {
    }
    gtc {
        auth_type = PAP
    }
    tls-config tls-common {
        private_key_password = secretpassword
        private_key_file = ${certdir}/freeradius.key.pem
        certificate_file = ${certdir}/freeradius.pem
        ca_file = ${certdir}/ca.pem
        dh_file = ${certdir}/dh
        random_file = /dev/urandom
        ca_path = ${cadir}
        cipher_list = "DEFAULT"
                #cipher_list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA128-SHA"
        cipher_server_preference = no
        tls_min_version = "1.2"
        tls_max_version = "1.2"
        ecdh_curve = "secp384r1"
        cache {
            enable = no
            lifetime = 24 # hours
            persist_dir = "${logdir}/tlscache"
            store {
                Tunnel-Private-Group-Id
            }
        }
        verify {
        }
        ocsp {
            enable = no
            override_cert_url = yes
            url = "http://127.0.0.1/ocsp/"
        }
    }
    tls {
        tls = tls-common
    }
    ttls {
        tls = tls-common
        default_eap_type = md5
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
    }
    peap {
        tls = tls-common
        default_eap_type = mschapv2
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
    }
    mschapv2 {
    }
}

Additionally, here's my sites-available/tls file:

listen {
    ipaddr = *
    port = 2083
    type = auth+acct
    proto = tcp
    virtual_server = default
    clients = radsec
    limit {
          max_connections = 16
          lifetime = 0
          idle_timeout = 30
    }
    tls {

        private_key_password = secretpassword 
                private_key_file = ${certdir}/freeradius.key.pem
        certificate_file = ${certdir}/freeradius.pem
        ca_file = ${certdir}/ca.pem
        dh_file = ${certdir}/dh
        random_file = /dev/urandom
        fragment_size = 8192
        ca_path = ${cadir}
        cipher_list = "DEFAULT"
        cipher_server_preference = no
        cache {
              enable = no
              lifetime = 24 # hours
        }
        require_client_cert = yes
        verify {
        }
    }
}
clients radsec {
    client 127.0.0.1 {
        ipaddr = 127.0.0.1
        proto = tls
        secret = radsec
    }
}
home_server tls {
    ipaddr = 127.0.0.1
    port = 2083
    type = auth
    secret = radsec
    proto = tcp
    status_check = none
    tls {
        private_key_password = whatever
        private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
        certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
        ca_file = /etc/ssl/certs/ca-certificates.crt
        dh_file = ${certdir}/dh
        random_file = /dev/urandom
        fragment_size = 8192
        ca_path = ${cadir}
        cipher_list = "DEFAULT"
    }
}
home_server_pool tls {
         type = fail-over
         home_server = tls
}
realm tls {
      auth_pool = tls
}

The FreeRADIUS server runs on Debian, on a RaspberryPi4. Here's the output of uname -a command:

Linux rpi4-20230308 5.10.0-21-arm64 #1 SMP Debian 5.10.162-1 (2023-01-21) aarch64 GNU/Linux

The output of openssl version command is this:

OpenSSL 1.1.1n  15 Mar 2022

Please, can anyone help me figure out, what is wrong with the configuration (if anything) and why the FreeRADIUS server thinks it may accept handling TLS 1.0/1.1 handshakes?

Here's a wireshark screenshot of what's happening to address Konrad Gajewski's suggestion

wireshark screenshot shows TLSv1.2 handshakes

217
2 + 0
eap
Score:0
Micah avatar Server
cl flag
Micah

Possibly you may have to make the change not in mods-available/eap, but in mods-enabled/eap instead. This did the trick for me with freeradius 3.0.12 running on Ubuntu 16 (in this old freeradius version the syntax is disable_tlsv1_0=yes and disable_tlsv1_1=yes and not tls_min_version = "1.2").

Give it a try!

+ 1
Václav avatar
cn flag
Václav
Nope, not the case. Whatever I could find in the `mods-available/eap`, was in `mods-enabled/eap`. Especially, if you do `ls -hal /etc/freeradius/3.0/mods-enabled/` you're gonna see `eap -> ../mods-available/eap` - there are only symlinks in the `mods-enabled` folder
0
Reply
Score:0
Konrad Gajewski avatar Server
cl flag
Konrad Gajewski

When running FreeRADIUS on Debian, you must keep in mind, that the default version does not support TLS out of the box. It does not report any specific error, it just was not compiled to work with it.

To solve this you need to compile FreeRADIUS with SSL/TLS support enabled. Essentially create your own debs, install them, and later on make sure they do not get overwritten when upgrading the server.

(How to do this is another matter - but let us know if you get stuck with it)

+ 2
Václav avatar
cn flag
Václav
Maybe it is the case with *TLS* (i.e. when client must also have his private key). In my case I do *TTLS*, which is a bit different section in configuration files. I've sniffed moment of connection traffic with both _wireshark_ and _tcpdump_ - both did not contain unencrypted password. What I've found there looked as a proper TLSv1.2 auth. I've attached wireshark screenshot to the question. I've got Apple router and as you may see, it sends me back the certificate - the public part (there's my name on it Viacheslav). Do you think they've started packaging FreeRADIUS debs with TLS pre-compiled?
0
Reply
Konrad Gajewski avatar
cl flag
Konrad Gajewski
Not sure what the current status of the debs is, but I remember when I was doing it, everything seemed ok, but it finally failed. In order to test if you have the TTLS enabled get the standard compilation environment to compile the debs yourself and see if the configuration portion contains the TTLS enable statement.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.