Problem: Wi-Fi printers fail to authenticate via FreeRADIUS after upgrade to UCS 5.2

Knowledge Base Community
, , , , ,
1

Wi-Fi printers fail to authenticate via FreeRADIUS after upgrade to UCS 5.2

Problem:

After upgrading to UCS 5.2, Wi-Fi printers may fail to authenticate against FreeRADIUS using EAP-PEAP. The authentication fails during the TLS handshake due to stricter TLS handling or invalid printer certificates.

90) eap: Calling submodule eap_peap to process data
(90) eap_peap: (TLS) EAP Peer says that the final record size will be
170 bytes
(90) eap_peap: (TLS) EAP Got all data (170 bytes)
(90) eap_peap: (TLS) Handshake state - before SSL initialization
(90) eap_peap: (TLS) Handshake state - Server before SSL initialization
(90) eap_peap: (TLS) Handshake state - Server before SSL initialization
(90) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello
(90) eap_peap: (TLS) send TLS 1.0 Alert, fatal protocol_version
(90) eap_peap: ERROR: (TLS) Alert write:fatal:protocol version
(90) eap_peap: ERROR: (TLS) Server : Error in error
(90) eap_peap: ERROR: (TLS) Failed reading from OpenSSL:
error:0A000102:SSL routines::unsupported protocol
(90) eap_peap: ERROR: (TLS) System call (I/O) error (-1)
(90) eap_peap: ERROR: (TLS) EAP Receive handshake failed during operation
(90) eap_peap: ERROR: [eaptls process] = fail
(90) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP
sub-module failed
(90) eap: Sending EAP Failure (code 4) ID 2 length 4
(90) eap: Failed in EAP select
(90)     [eap] = invalid
(90)   } # authenticate = invalid

Symptoms:

  • Wi-Fi printers cannot connect to the WLAN

  • 802.1X authentication fails

  • FreeRADIUS debug logs show TLS handshake errors, for example:

    • fatal protocol_version
    • unsupported protocol
    • no suitable signature algorithm

Root Cause:

This issue can be caused by one or more of the following:

  • Older printers only support deprecated TLS versions
  • The TLS minimum version was not evaluated correctly in early UCS 5.2 releases - Bug 58374
  • The certificate configured on the printer is expired or incompatible

Solution:

The issue is resolved with:

With this erratum, the UCR variable below is evaluated correctly by FreeRADIUS:

  • freeradius/conf/tls-min-version

After installing the erratum, you could set the variable for example:

  • ucr set freeradius/conf/tls-min-version=1.0

Workaround (only if the erratum is not installed)

As a temporary workaround, the TLS minimum version can be enforced manually via the FreeRADIUS UCR template.

  1. Edit the template:

    /etc/univention/templates/files/etc/freeradius/3.0/mods-available/eap

  2. Add the following lines near the TLS configuration:

    @!@
print('\t\ttls_max_version = %s' % configRegistry.get('freeradius/conf/tls-max-version', '1.3'))
print('\t\ttls_min_version = %s' % configRegistry.get('freeradius/conf/tls-min-version', '1.0'))
@!@

  3. Apply the changes:

    ucr commit /etc/freeradius/3.0/mods-available/eap

  4. Verify that the generated configuration contains:

    tls_max_version = 1.3
tls_min_version = 1.0

Additional information

If authentication still fails after installing the erratum and configuring the TLS minimum version, check the certificate configured on the printer. Renewing or re-enrolling the printer certificate resolved the issue in confirmed cases.

Notes

  • UCS 5.2 enforces stricter TLS defaults in FreeRADIUS
  • Older or embedded devices may require explicit TLS minimum version configuration
  • Printer certificates should be checked regularly for validity