Hello Maybe this is a stupid remark of me, But when initially testing with our radius proxy I got the same error messages, and it turned out the secret was wrong in the config ... (it was given over the phone..)
And a second time we had problems with EAP, it was with the SSleay, wich were solved when using the OSC SSLeay/Openssl bundle We are running on Windows2008 R2 SP1 and are on eduroam. Oiur install was with activestate perl (ActivePerl-5.12.4.1205-MSWin32-x64-294981.msi) , followed by cd \perl64\bin ppm install Win32::Daemon ppm install Digest::HMAC ppm install Digest::MD4 ppm install Net::LDAP ppm install http://www.open.com.au/radiator/free-downloads/Win32-Lsa.ppd ppm install http://www.open.com.au/radiator/free-downloads/Net-SSLeay.ppd Luc -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Heikki Vatiainen Sent: vrijdag 9 september 2011 11:09 To: Johnson, Neil M Cc: [email protected] Subject: Re: [RADIATOR] SSL Errors On 09/08/2011 11:39 PM, Johnson, Neil M wrote: Hello Neil, > I should point out the PEAP authentication is working for most cleints. The errors come from SSL layer. The authentication messages from the clients are getting corrupted somewhere. So this is a problem between the client and Radiator and does not concern your AD infrastructure. Working back from Radiator towards the authenticating client there are a number of possibilities that can cause this. Radiator has problems handling all incoming requests. Some requests get dropped from the incoming OS UDP queue and the TLS tunnels from the authenticating clients to Radiator start experiencing problems. TLS was designed for TCP (reliable transport), so I am not surprised if it has problems with unreliable transport (lost, duplicated, corrupted, out of order) UDP provides. For the configuration you could try setting EAPTLS_MaxFragmentSize to 1000. See Radiator reference manual section "5.19.35 EAPTLS_MaxFragmentSize". If the error messages are caused by NASes that have problems with fragments, this might help. The OpenSSL libraries and Perl Net-SSLeay module Radiator uses may be buggy. I do not think this is the most likely cause though. Errors such as "decryption failed" and "block cipher pad is wrong" indicate corrupted messages. If you have load balancers, either dedicated devices or Radiator doing proxying and load balancing, these can easily cause problems with EAP authentication. When e.g, PEAP establishes TLS tunnel from the client to authenticating RADIUS server, the load balancers need to keep related EAP packets together so that the traffic is always proxied to the same RADIUS server. Please see discussion in the reference manual about AuthBy EAPBALANCE. There is more about how to properly do load balancing with EAP authentication using Radiator. The next step is to check the NASes. The first item, EAPTLS_MaxFragmentSize setting, relates to NASes, but there might be a device (WLAN AP or controller) that is having problems and is corrupting EAP messages from the authenticating client. To catch these, run Radiator with Trace 4 and use Called-Station-Id, Calling-Station-Id, NAS-IP-Address and other attributes from the request to see where the corrupted requests came from. Finally the problem may be with the authenticating client. Trace 4 should help here too. You can collect the Calling-Station-Id information from the corrupted requests and see if the prolems occurs with the same MAC address. Finally, I have noticed there errors can show up even if everything works as expected. However, the percentage of errors should be very small compared to the total number of authentication messages. You wrote about thousands of messages, and that sounds a little too much. Thanks! Heikki > ------------------------------------------------------------------------ > *From:* [email protected] [[email protected]] on > behalf of Johnson, Neil M [[email protected]] > *Sent:* Thursday, September 08, 2011 2:19 PM > *To:* [email protected] > *Subject:* [RADIATOR] SSL Errors > > We are seeing thousands of these errors over a 24 hour period. What do > they indicate and what should be troubleshooting? We are running the > latest RADIATOR on Windows Server 2008 R2 SP1 64-bit. > > Is it an issue between the client and RADIATOR or our Active Directory > Infrastructure? > > Is there any documentation that provides insight into these errors? > > We do have support for RADIATOR under uiowa.edu > > Thanks. > > -Neil > > Wed Sep 7 18:16:12 2011: ERR: EAP TLS error: -1, 1, 8608, 3068: 1 - > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad > record mac > > Wed Sep 7 18:16:12 2011: ERR: EAP PEAP TLS read failed: 3068: 1 - > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad > record mac > > Wed Sep 7 18:16:12 2011: ERR: EAP TLS error: -1, 1, 8576, 3068: 1 - > error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > > Wed Sep 7 18:16:12 2011: ERR: EAP PEAP TLS read failed: 3068: 1 - > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad > record mac > > Wed Sep 7 18:16:13 2011: ERR: EAP PEAP TLS read failed: 3068: 1 - > error:140D2081:SSL routines:TLS1_ENC:block cipher pad is wrong > > Wed Sep 7 18:16:13 2011: ERR: EAP PEAP TLS read failed: 3068: 1 - > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad > record mac > > Wed Sep 7 18:16:13 2011: ERR: EAP PEAP TLS read failed: 3068: 1 - > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad > record mac > > Wed Sep 7 18:16:13 2011: ERR: EAP TLS error: -1, 1, 8465, 3068: 1 - > error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record > > Wed Sep 7 18:16:13 2011: ERR: EAP TLS error: -1, 1, 8465, 3068: 1 - > error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record > > Wed Sep 7 18:16:13 2011: ERR: EAP PEAP TLS read failed: 3068: 1 - > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad > record mac > > Wed Sep 7 18:16:13 2011: ERR: EAP TLS error: -1, 1, 8465, 3068: 1 - > error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record > > > > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator SCK-CEN Disclaimer: http://www.sckcen.be/en/Legal-aspects/E-mail-disclaimer _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
