Fixed!!!
It transpires that the problem was down to our student windows 7 image. We used
to use XpressConnect to setup all our staff/student images but moved over to
using group,policies and a couple of scripts for various reasons.
Unfortunately the CA intermediate and root certs weren't installed on the
client machines so they couldn't verify our eduroam.hull.c.uk cert.
As soon as the CAs were installed on the client, everything sprang into life
Rgds
Alex
________________________________
From: [email protected] [[email protected]] on behalf of
Alex Sharaz [[email protected]]
Sent: 09 July 2012 16:10
To: [email protected]
Subject: [RADIATOR] tlsv1 errors
Hi,
I'me seeing loads of
Wed Apr 18 02:13:42 2012: ERR: EAP PEAP TLS read failed: 1116: 1 -
error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied
Wed Apr 18 02:15:15 2012: ERR: EAP PEAP TLS read failed: 1116: 1 -
error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied
Wed Apr 18 02:16:48 2012: ERR: EAP PEAP TLS read failed: 1116: 1 -
error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied
Wed Apr 18 02:18:21 2012: ERR: EAP PEAP TLS read failed: 1116: 1 -
error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied
errors on all of my Radiator V4.9 ( and 1 4.10) fully patched servers running
on Windows 2008R2 servers configured to authenticate agains our AD system using
AuthBy LSA
looking in my eaplog file I can see
Jul 9, 2012 15:51 : clientip=150.237.85.206 nasIP=150.237.253.140 nasPort=30
user=ADIR\adsmt3 result=OK
Jul 9, 2012 15:51 : clientip= nasIP=150.237.251.30 nasPort=3 user=anonymous
result=OK
Jul 9, 2012 15:51 : EAP PEAP TLS read failed clientip=150.237.85.206
nasIP=150.237.251.83 nasPort=39 user=ADIR\408859 result=FAIL
Jul 9, 2012 15:51 : clientip=150.237.85.206 nasIP=150.237.251.30 nasPort=3
user=ADIR\381760 result=OK
Jul 9, 2012 15:52 : clientip= nasIP=150.237.251.81 nasPort=8 user=anonymous
result=OK
Jul 9, 2012 15:52 : clientip=150.237.85.206 nasIP=150.237.251.81 nasPort=8
user=ADIR\433918 result=OK
Jul 9, 2012 15:52 : EAP PEAP TLS read failed clientip=150.237.85.206
nasIP=150.237.251.83 nasPort=21 user=ADIR\430746 result=FAIL
Jul 9, 2012 15:52 : clientip= nasIP=150.237.175.164 nasPort=11 user=anonymous
result=OK
So I've got one batch of people authenticating just fine and another lot that
keep failing. As I run a load balanced service with multiple back end Radiator
AD servers, shutting down one that seems to be seeing lots of problems just
moves the auth failures over to another Radiator server.
I'm currently trying to figure out whether all the failures are associated with
one of our University built images but would really appreciate any hints as to
what "tlsv1 alert access denied" actually means
Rgds
Alex
**************************************************
To view the terms under which this email is
distributed, please go to
http://www2.hull.ac.uk/legal/disclaimer.aspx
**************************************************
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
