Last updated: 
2 months 2 weeks ago
Group Manager
A place to share information on all aspects of eduroam in the UK. Follow us on Twitter @eduroamuk - for news, interest, information, photos and fun. Contents Click on item and scroll down to the selected content at the bottom of the page. Guidance document - Cost of Implementing eduroam eduroam(UK) Technical Specification Summary of Recommendations Checklist eduroam(UK) Technical Specification Summary of Requirements Checklist eduroam(UK) Technical Specification NHS and eduroam/shared use of wireless/govroam ORPS in Azure - alternatives to the use of ICMP Sending Operator Name with Cisco ISE 2.0 eduroam in Public Buildings and Spaces in City Centres TLS 1.2 and updated RADIUS requirements FreeRADIUS Packet Handling - examining the flow FreeRADIUS Best Current Practice Configuration for eduroam  Performance tweaks for RADIUS and backend authentication systems eduroam(UK) Microsoft NPS Configuration Guide v0.1 eduroam(UK) Service Provider Assurance Tool User Guide eduroam(UK) Service Provider Assurance Tool Phase2 Field Trial Feedback Improving the Reliability of NPS as an Authenticator in eduroam Advisory: Using Status Server Advisory: Use of MD5 Certificates Deprecated in Favour of SHA-1 for RADIUS servers Advisory: Windows Mobile 8 and Certificate Verification NWS41 eduroam Forum presentations - TKIP, CUI, NAPTR, QoS Probe NWS40 FreeRADIUS Demystified seminar presentation Geant Funding available Janet Lumen House eduroam Service Information UK eduroam Usage Feb 2013 EAP-pwd Moving Towards a Deployable Standard Site Finder and Service Information Directory eduroam(UK) Technical Specification 1.3 (archived) - superseded by 1.4 eduroam User Troubleshooting Flowchart for IT Support Staff eduroam Administrators Troubleshooting Flowchart NAPTR Record Creation Using Microsoft Windows 2008 R2 DNS Server eduroam Best Practice Pointers FreeRADIUS 2 eduroam Deployment at University of Sussex

Group administrators:

TLS 1.2 and updated RADIUS requirements

12 November 2015 at 7:12pm

TL;DR - TLS 1.2 negotiation in forthcoming OS releases require sites running RADIATOR, FreeRADIUS 2 and FreeRADIUS 3 to upgrade, NPS sites may need reconfiguring.

Overview

Testing with forthcoming OS releases - wpa_supplicant 2.4 (wpa_supplicant is used in Android and Linux) - has shown issues with TLS 1.2 negotiation with various RADIUS servers that we have tested and have access to. IOS 9 and OSX El Capitan did show this issue in beta/pre-release but now dont (NB, apparently Apple have Deferred using TLS 1.2 in IOS9 - El Capitan to be confirmed - due to the issue with many RADIUS servers around the world....this issue WILL arise for this platform at some time in the future though). Android 6.0 (Marshmallow) is exhibiting similar behaviour.

RADIATOR

RADIATOR uses the Net::SSLeay for its SSL support. If you are running older versions, these may come via your OS repository, eg version 1.35, these will not work with TLS 1.2 negotiation if you are running RADIATOR 4.14 or 4.15.  Advice - upgrade to Net::SSLeay 1.70   (and whilst looking at this, upgrade to RADIATOR 4.15 *with the recent patchset which fixes MPPE key issue* - many bug fixes and some great new features such as REDIS support)

FreeRADIUS 2

FreeRADIUS2 < 2.2.6 should not have an issue as it doesnt DO TLS 1.2 negotiation. This may have *other* adverse effects with clients that try doing TLS 1.2 (we dont know, for example, what forthcoming Windows Phone releases will do) - however, 2.2.6 and 2.2.7 DO have issues - upgrade to 2.2.9 (which also has an x509 security issue fix from 2.2.8 anyway). Sites running OpenSSL 1.0.2 need 2.2.10(!)

FreeRADIUS 3

FreeRADIUS3 < 3.0.6 does not DO TLS 1.2 negotiation either. To ensure support with newer clients this feature was added (at same time as 2.2.6) - with similar issue.  Upgrade to 3.0.10 (which also has the same x509 security fix from 3.0.9 too) - Sites running OpenSSL 1.0.2 need 3.0.11(!)

(if building FreeRADIUS locally, please ensure that the server you are running FreeRADIUS on has same version of OpenSSL as the server you built the FreeRADIUS on - next releases have a bug-reversion that ensures that this is the case)

Microsoft NPS  - can do TLS 1.2  (ignore the dated document at https://support.microsoft.com/en-us/kb/2719195 ) . Read the following advisory about TLS 1.2 support being added to the OS https://technet.microsoft.com/en-us/library/security/2977292.aspx and https://support.microsoft.com/en-us/kb/2977292 (which states the registry TlsVersion DWORD flags to use to enable TLS 1.0/1.1 and 1.2 support)

ACS 5 - untested/unknown

ISE 1.2/1.3 - untested/unknown

ISE 2.0 - apparently does TLS 1.2 - but certainly now supports EAP-TTLS (http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/release_notes/ise2...)

Older RADIUS platforms -  FreeRADIUS 1.x or 2.1.x , Microsoft IAS, ACS 3.x or 4.x and ISE 1.0 or 1.1 are not supported or reviewed.

obnote: You might also want to check out my blog about the requirements for larger DH keys on your RADIUS server:

https://community.jisc.ac.uk/blogs/8021x-clients-and-radius-server-suppo...

obnote2: on RADIATOR/FreeRADIUS platforms, ensure your OpenSSL package is the latest possible copy - keep your OS up to date.

Comments

If you're using v2.x.x you should upgrade to v3.0.9.  v2.x.x is now end of life and you are using unsupported software.

:) as said, 'only and last statement from Alan regarding the release policy' - and the web page still says "Only security fixes will be applied to 2.2.x"  

anyway, case remains, if you've got 1.x its gone. it you've got 2.1.x upgrade - at least to 2.2.x in short term - all new installs should be 3.0.x 

~~Sites running OpenSSL 1.0.2 need 3.0.11(!)

Alan, do you mean check out latest source code; given that 3.0.11 doesn't exist yet?

Looks like Ubuntu 15.10 comes with OpenSSL 1.0.2 - that should be a good candidate to install on?

yes, 3.0.x HEAD release (which will become 3.0.11 when released...which might be this week).

any distro that provides OpenSSL 1.0.2 is a a good candidate for finding more issues ;-)