Le 02/10/2018 à 17:09, Dominik George a écrit :
> On Tue, Oct 02, 2018 at 04:08:41PM +0200, Pétùr wrote:
>> On debian sid, I have the following error when trying to connect to a WPA2
>> Entreprise network (PEAP + MSCHAPv2) with :
>>
>> Tue Oct 2 14:07:43 2018 : Error: TLS Alert write:fatal:protocol version
>> Tue Oct 2 14:07:43 2018 : Error: rlm_eap: SSL error error:1408F10B:SSL
>> routines:SSL3_GET_RECORD:wrong version number
>> Tue Oct 2 14:07:43 2018 : Error: SSL: SSL_read failed in a system call
>> (-1), TLS session fails.
>> Tue Oct 2 14:07:43 2018 : Auth: Login incorrect (TLS Alert
>> write:fatal:protocol version): [lo...@myuniversity.com]
> OpenSSL 1.1.1, and pretty much everything using it, is now disabling TLS 1.1
> by default. That's probably what you see here, and it means that your RADIUS
> server supports only deprecated TLS versions.
>
> You can enable TLS 1.1 in your wpa_supplicant config, but the real fix is to
> enable TLS 1.2 on your RADIUS server. That has been enabled by default in
> freeradius in Debian since at least jessie, to give you an idea of how
> outdated the setup is ;).
Thanks, I think the tls version is the problem.
I configured wpa_supplicant (because network-manager does not offer
option for the TLS version).
Do you know what exact option is needed by wpa_supplicant to allow TLS 1.1 ?
I tried to add "phase1="tls_disable_tlsv1_2=1"" (see below the complete
wpa_supplicant configuration.
With this option, I don't have the error message but I don't have a
working connexion either.
/etc/wpa_supplicant/wpa_supplicant.conf
network={
ssid="University network"
key_mgmt=WPA-EAP
pairwise=CCMP
group=CCMP TKIP
eap=PEAP
ca_cert="/home/petur/.cat_installer/ca.pem"
identity="n...@univeristy.com"
domain_suffix_match="radius.university.com"
phase1="tls_disable_tlsv1_2=1"
phase2="auth=MSCHAPV2"
password="xxxxxxx"
anonymous_identity="anonym...@university.com"
}
Pétùr
