Heikki, Thanks. We do have EAPTLS_MaxFragmentSize set to 1000.
We have a lot of SQL requests going on in processing hooks that maybe causing the problem. Thanks. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 Mobile: 319 540-2081 E-Mail: [email protected] On 9/9/11 4:08 AM, "Heikki Vatiainen" <[email protected]> wrote: >On 09/08/2011 11:39 PM, Johnson, Neil M wrote: > >Hello Neil, > >> I should point out the PEAP authentication is working for most cleints. > >The errors come from SSL layer. The authentication messages from the >clients are getting corrupted somewhere. So this is a problem between >the client and Radiator and does not concern your AD infrastructure. > >Working back from Radiator towards the authenticating client there are a >number of possibilities that can cause this. > >Radiator has problems handling all incoming requests. Some requests get >dropped from the incoming OS UDP queue and the TLS tunnels from the >authenticating clients to Radiator start experiencing problems. TLS was >designed for TCP (reliable transport), so I am not surprised if it has >problems with unreliable transport (lost, duplicated, corrupted, out of >order) UDP provides. > >For the configuration you could try setting EAPTLS_MaxFragmentSize to >1000. See Radiator reference manual section "5.19.35 >EAPTLS_MaxFragmentSize". If the error messages are caused by NASes that >have problems with fragments, this might help. > >The OpenSSL libraries and Perl Net-SSLeay module Radiator uses may be >buggy. I do not think this is the most likely cause though. Errors such >as "decryption failed" and "block cipher pad is wrong" indicate >corrupted messages. > >If you have load balancers, either dedicated devices or Radiator doing >proxying and load balancing, these can easily cause problems with EAP >authentication. When e.g, PEAP establishes TLS tunnel from the client to >authenticating RADIUS server, the load balancers need to keep related >EAP packets together so that the traffic is always proxied to the same >RADIUS server. > >Please see discussion in the reference manual about AuthBy EAPBALANCE. >There is more about how to properly do load balancing with EAP >authentication using Radiator. > >The next step is to check the NASes. The first item, >EAPTLS_MaxFragmentSize setting, relates to NASes, but there might be a >device (WLAN AP or controller) that is having problems and is corrupting >EAP messages from the authenticating client. > >To catch these, run Radiator with Trace 4 and use Called-Station-Id, >Calling-Station-Id, NAS-IP-Address and other attributes from the request >to see where the corrupted requests came from. > >Finally the problem may be with the authenticating client. Trace 4 >should help here too. You can collect the Calling-Station-Id information >from the corrupted requests and see if the prolems occurs with the same >MAC address. > >Finally, I have noticed there errors can show up even if everything >works as expected. However, the percentage of errors should be very >small compared to the total number of authentication messages. > >You wrote about thousands of messages, and that sounds a little too much. > >Thanks! >Heikki > > >> ------------------------------------------------------------------------ >> *From:* [email protected] [[email protected]] on >> behalf of Johnson, Neil M [[email protected]] >> *Sent:* Thursday, September 08, 2011 2:19 PM >> *To:* [email protected] >> *Subject:* [RADIATOR] SSL Errors >> >> We are seeing thousands of these errors over a 24 hour period. What do >> they indicate and what should be troubleshooting? We are running the >> latest RADIATOR on Windows Server 2008 R2 SP1 64-bit. >> >> Is it an issue between the client and RADIATOR or our Active Directory >> Infrastructure? >> >> Is there any documentation that provides insight into these errors? >> >> We do have support for RADIATOR under uiowa.edu >> >> Thanks. >> >> -Neil >> >> Wed Sep 7 18:16:12 2011: ERR: EAP TLS error: -1, 1, 8608, 3068: 1 - >> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad >> record mac >> >> Wed Sep 7 18:16:12 2011: ERR: EAP PEAP TLS read failed: 3068: 1 - >> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad >> record mac >> >> Wed Sep 7 18:16:12 2011: ERR: EAP TLS error: -1, 1, 8576, 3068: 1 - >> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number >> >> Wed Sep 7 18:16:12 2011: ERR: EAP PEAP TLS read failed: 3068: 1 - >> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad >> record mac >> >> Wed Sep 7 18:16:13 2011: ERR: EAP PEAP TLS read failed: 3068: 1 - >> error:140D2081:SSL routines:TLS1_ENC:block cipher pad is wrong >> >> Wed Sep 7 18:16:13 2011: ERR: EAP PEAP TLS read failed: 3068: 1 - >> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad >> record mac >> >> Wed Sep 7 18:16:13 2011: ERR: EAP PEAP TLS read failed: 3068: 1 - >> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad >> record mac >> >> Wed Sep 7 18:16:13 2011: ERR: EAP TLS error: -1, 1, 8465, 3068: 1 - >> error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record >> >> Wed Sep 7 18:16:13 2011: ERR: EAP TLS error: -1, 1, 8465, 3068: 1 - >> error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record >> >> Wed Sep 7 18:16:13 2011: ERR: EAP PEAP TLS read failed: 3068: 1 - >> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad >> record mac >> >> Wed Sep 7 18:16:13 2011: ERR: EAP TLS error: -1, 1, 8465, 3068: 1 - >> error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record >> >> >> >> _______________________________________________ >> radiator mailing list >> [email protected] >> http://www.open.com.au/mailman/listinfo/radiator > > >-- >Heikki Vatiainen <[email protected]> > >Radiator: the most portable, flexible and configurable RADIUS server >anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, >NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
