Univention Bugzilla – Bug 55247
Radius TLS problems since windows update on win10 & win11 clients
Last modified: 2023-03-01 14:55:23 CET
I request that this problem is fixed very quickly, because the Windows 10 and Windows 11 clients run into this problem since, the last Windows update. The TLS versions in the UCS are outdated and therefore Win10 and Win11 clients are experiencing connection problems in the 802.1x environment. Here some more information about the problem: https://support.microsoft.com/de-de/topic/windows-10-ger%C3%A4te-k%C3%B6nnen-sich-nicht-mit-einer-802-1-x-umgebung-verbinden-179ef277-e6ef-8ea3-cb0e-11a6b80fa955 Into the path /etc/freeradius/3.0/mods-available/eap the customer can add tls_min_version = "1.2" tls_max_version = "1.2" I guess we need a better solution via errata update please.
I'm not sure they run into this problem since the last Windows update, that article is over 7 years old and that particular bug has been fixed in our freeradius version. But Microsoft might have changed the tls negotiation process in one of the last updates. I didn't investigate that further. Fact is, we do have a problem here. The client tries to use tls v3 which is not supported by our freeradius version: https://github.com/FreeRADIUS/freeradius-server/issues/2385 Basically our freeradius version was developed before the behavior for eap and tls v3 was defined. But our openssl version 1.1.1 has no problem negotiating tls v3. We need to disable tls v3 from within freeradius. So setting `tls_max_version = "1.2"` is the right solution. I don't thing we need to set the min_version. Side note: eap and tls v3 was just finalized in February 2022 https://datatracker.ietf.org/doc/rfc9190/
Another Customer affected
Another Customer affected.
Same on 2022111821000661
Maybe it will be a better choice to get an UCRV to change an set the TLS Version for freeRadius.
Next school Customer, who needs a fix, and is not happy to edit the configuration manually
a65f4710565c42d7520da0ff6a8671daa947e436 | Bug #55247: test case a645629f2a25c6e8d66977b5f693fd494cf4d249 | Bug #55247: disable tls v3 for radius 73559192080fb054d1b77503dbae1205106fcd06 | Bug #55247: yaml - The radius TLS version can now be defined via UCR `freeradius/conf/tls-max-version` - Set the default TLS version to 1.2 - Added test for it
(In reply to Maximilian Janßen from comment #10) > - The radius TLS version can now be defined via UCR > `freeradius/conf/tls-max-version` > - Set the default TLS version to 1.2 How are we making sure that future UCS versions with a newer freeradius version are using TLS 1.3, that we do not by default restrict radius to an older and maybe at some point insecure TLS version?
REOPEN: the test case fails: https://univention-dist-jenkins.k8s.knut.univention.de/job/UCS-5.0/job/UCS-5.0-3/job/AutotestUpgrade/lastCompletedBuild/SambaVersion=no-samba,Systemrolle=master/testReport/45_radius/14_eap_tlsv3/test_eap/ file /usr/share/ucs-test/45_radius/14_eap_tlsv3.py, line 37 def test_eap(udm, ca_cert): E fixture 'ca_cert' not found > available fixtures: Client, cache, capfd, capfdbinary, caplog, capsys, capsysbinary, doctest_namespace, ldap_base, ldap_master, lo, monkeypatch, pytestconfig, rad_user, random_name, random_string, random_username, record_property, record_xml_attribute, record_xml_property, recwarn, restart_s4connector_if_present, restart_umc_server, selenium, server_role, ssp, tmp_path, tmp_path_factory, tmpdir, tmpdir_factory, ucr, ucr_session, udm, udm_session, verify_ldap_object, verify_udm_object, wait_for_replication > use 'pytest --fixtures [testpath]' for help on them. /usr/share/ucs-test/45_radius/14_eap_tlsv3.py:37
(In reply to Florian Best from comment #12) > REOPEN: the test case fails: I fixed that.
OK: max TLS version configurable via UCRv `freeradius/conf/tls-max-version` OK: default is set to 1.2 as Windows 10/11 require this I don't know if setting it to 1.2 has side effects to customers/clients which currently use 1.3. OK: test case OK: YAML OK: Bug #55763 for updating the default to 1.3 when it's okay.
<https://errata.software-univention.de/#/?erratum=5.0x600>