[RADIATOR] EAP errors and config ordering questions
McNealy, Justin S
mcnealy at musc.edu
Thu Mar 11 14:24:26 CST 2010
Hello,
We are having an issue with a recent upgrade. We went from 4.2 to 4.6.
We upgraded one of the servers that primarily handled the accounting and then tested to make sure clients were authenticating ok. Once that was verified, we shut down the Authentication server and allowed the clients to fail over to the server running the new version. That is when we started seeing errors in the logs.
A google search did not yield any results that explained these errors to our satisfaction.
Our current config is attached and some of the errors are below.
Thu Mar 11 10:24:31 2010: INFO: Access rejected for domain\username: EAP PEAP TLS read failed
Thu Mar 11 10:24:31 2010: ERR: EAP PEAP TLS read failed: 2004: 1 - error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
Thu Mar 11 10:24:31 2010: INFO: Access rejected for domain\username: EAP PEAP TLS read failed
Thu Mar 11 10:24:32 2010: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure: unknown user name or bad password.
Thu Mar 11 10:24:32 2010: ERR: Could not load EAP module Radius::EAP_152: Can't locate Radius/EAP_152.pm in @INC (@INC contains: . C:/Perl/site/lib C:/Perl/lib .) at (eval 359) line 3.
Thu Mar 11 10:24:32 2010: INFO: Access rejected for domain\username: Unsupported EAP Request 152
Thu Mar 11 10:24:32 2010: INFO: Duplicate request id 29 received from 10.24.97.21(32770): ignored
Thu Mar 11 10:24:37 2010: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure: unknown user name or bad password.
Thu Mar 11 10:24:37 2010: INFO: Access rejected for anonymous: EAP MSCHAP-V2 Authentication failure
Thu Mar 11 10:24:37 2010: INFO: Access rejected for anonymous: PEAP Authentication Failure
Thu Mar 11 10:24:40 2010: ERR: Could not load EAP module Radius::EAP_11: Can't locate Radius/EAP_11.pm in @INC (@INC contains: . C:/Perl/site/lib C:/Perl/lib .) at (eval 437) line 3.
Thu Mar 11 10:24:40 2010: INFO: Access rejected for anonymous: Unsupported EAP Request 11
Thu Mar 11 10:24:40 2010: ERR: EAP TLS error: -1, 1, 8465, 2004: 1 - error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
Thu Mar 11 10:24:40 2010: INFO: Access rejected for host/d-m0: EAP PEAP TLS error
Thu Mar 11 10:24:40 2010: ERR: Could not load EAP module Radius::EAP_11: Can't locate Radius/EAP_11.pm in @INC (@INC contains: . C:/Perl/site/lib C:/Perl/lib .) at (eval 440) line 3.
Thu Mar 11 10:24:40 2010: INFO: Access rejected for host/chp-DQD5WF1.domain.local: Unsupported EAP Request 11
Thu Mar 11 10:24:55 2010: ERR: EAP PEAP TLS read failed: 2004: 1 - error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
Thu Mar 11 10:24:55 2010: INFO: Access rejected for domain\username: EAP PEAP TLS read failed
Thu Mar 11 10:24:55 2010: ERR: EAP PEAP TLS read failed: 2004: 1 - error:140D2081:SSL routines:TLS1_ENC:block cipher pad is wrong
Thu Mar 11 10:25:03 2010: INFO: Access rejected for anonymous: EAP MSCHAP-V2 Authentication failure
Thu Mar 11 10:25:03 2010: INFO: Access rejected for anonymous: PEAP Authentication Failure
Thu Mar 11 10:25:08 2010: ERR: EAP PEAP TLS read failed: 2004: 1 - error:140D2081:SSL routines:TLS1_ENC:block cipher pad is wrong
Thu Mar 11 12:24:18 2010: ERR: EAP TLS error: -1, 1, 8465, 3256: 1 - error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early
Then we restarted at trace 4:
Thu Mar 11 11:02:27 2010: DEBUG: Creating accounting port 0.0.0.0:1813
Thu Mar 11 11:02:27 2010: NOTICE: Server started: Radiator 4.6 on radauth4
*** Received from 10.24.97.13 port 32770 ....
Code: Access-Request
Identifier: 192
Authentic: <232><13>5S<151><174>z<203><146>~<220><202><206>u<127><218>
Attributes:
User-Name = "domain\username"
Calling-Station-Id = "0010.7a72.3b64"
Called-Station-Id = "0024.c48d.5910:devnet"
NAS-Port = 29
NAS-IP-Address = 10.24.97.13
NAS-Identifier = "wism3a"
Airespace-WLAN-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-IEEE-802-11
Tunnel-Type = 0:VLAN
Tunnel-Medium-Type = 0:802
Tunnel-Private-Group-ID = 256
EAP-Message = <2><8><0>P<25><0><23><3><1><0><24><214><15><169><192>_\<15><167>O<6>A<153>ws<1>2<183><194><132><21><131><235><173><194><23><3><1><0>(<249><247><131><209>Mw<127>d<143><247><6><190><158><157><183><224>%<211><4>e<150><191>=<13><132>]<197><153><147>\<149><137><235><193>AWH<31><254>[
Message-Authenticator = <239><177>_<203><185>_<246><205>~<167>1Y<211><130><169>i
Thu Mar 11 12:26:06 2010: DEBUG: Handling request with Handler 'Client-Identifier=wlan,Called-Station-Id=/devnet/i'
Thu Mar 11 12:26:06 2010: DEBUG: Deleting session for domain\username, 10.24.97.13, 29
Thu Mar 11 12:26:06 2010: DEBUG: Handling with Radius::AuthFILE:
Thu Mar 11 12:26:06 2010: DEBUG: Handling with EAP: code 2, 8, 80, 25
Thu Mar 11 12:26:06 2010: DEBUG: Response type 25
Thu Mar 11 12:26:06 2010: DEBUG: EAP TLS SSL_accept result: -1, 1, 8465
Thu Mar 11 12:26:06 2010: ERR: EAP TLS error: -1, 1, 8465, 1684: 1 - error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
Thu Mar 11 12:26:06 2010: DEBUG: EAP result: 1, EAP PEAP TLS error
Thu Mar 11 12:26:06 2010: DEBUG: AuthBy FILE result: REJECT, EAP PEAP TLS error
Thu Mar 11 12:26:06 2010: INFO: Access rejected for domain\username: EAP PEAP TLS error
Thu Mar 11 12:26:06 2010: DEBUG: Packet dump:
*** Sending to 10.24.97.13 port 32770 ....
Code: Access-Reject
Identifier: 192
Authentic: <186>G<12>%<212>lr<14><10><199>y<251>hz<1><27>
Attributes:
EAP-Message = <4><8><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied
*** Received from 10.24.97.22 port 32770 ....
Code: Access-Request
Identifier: 223
Authentic: <142><2><190><146><208>Ak<186><5><232>^<252><177>,@"
Attributes:
User-Name = "username"
Calling-Station-Id = "d49a.20a0.9ae4"
Called-Station-Id = "0013.60dc.9d60:muscsecure"
NAS-Port = 29
NAS-IP-Address = 10.24.97.22
NAS-Identifier = "wism2b"
Airespace-WLAN-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-IEEE-802-11
Tunnel-Type = 0:VLAN
Tunnel-Medium-Type = 0:802
Tunnel-Private-Group-ID = 168
EAP-Message = <2><6><0><208><25><129><0><0><0><198><22><3><1><0><134><16><0><0><130><0><128>`<25>7<243><248><0>R<3><26><148>@7<222><164><148><220>!I<24><183><147><159>{8<1><24><166><27>fN<6><<145><255>7k<165><173>+<162><210><132><201><143><166><7>&<232>{oS<216>p<20><236><13>x5\<219>#&1S<21>l<186><7>O<186>=0j<25><203>b_<229><132><0><242>&<133>,<11><243>6<220><209><186>VN<195><129><196><133><238>W<145>,<212>`<253><132>_T<195><19><14>p9<1><26><194>4<227><232><12>M<175>[<189>q3<149><2>V'<20><3><1><0><1><1><22><3><1><0>09<179><21><238><241>T<157>w<234>?<248><154>v<205><172><159><10><148><205><252><200>7<175><143>Q<224><127>l<244>#}<177><167><27>9<206>TF<171>u<9><213>W<225>_<146><215><200>
Message-Authenticator = &<11><232><228><168><134><170>@Lj<223><168><255><184><213>h
Thu Mar 11 12:26:25 2010: DEBUG: Handling request with Handler 'Client-Identifier=wlan'
Thu Mar 11 12:26:25 2010: DEBUG: Deleting session for username, 10.24.97.22, 29
Thu Mar 11 12:26:25 2010: DEBUG: Handling with Radius::AuthFILE:
Thu Mar 11 12:26:25 2010: DEBUG: Handling with EAP: code 2, 6, 208, 25
Thu Mar 11 12:26:25 2010: DEBUG: Response type 25
Thu Mar 11 12:26:25 2010: DEBUG: EAP TLS SSL_accept result: -1, 1, 8465
Thu Mar 11 12:26:25 2010: ERR: EAP TLS error: -1, 1, 8465, 1684: 1 - error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message
Thu Mar 11 12:26:25 2010: DEBUG: EAP result: 1, EAP PEAP TLS error
Thu Mar 11 12:26:25 2010: DEBUG: AuthBy FILE result: REJECT, EAP PEAP TLS error
Thu Mar 11 12:26:25 2010: INFO: Access rejected for username: EAP PEAP TLS error
Thu Mar 11 12:26:25 2010: DEBUG: Packet dump:
*** Sending to 10.24.97.22 port 32770 ....
Code: Access-Reject
Identifier: 223
Authentic: '<21><147><143><128><132><243><158><142><12>yj<12><233><216><181>
Attributes:
EAP-Message = <4><6><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
Are these due to fast-reconnect and/or session resumption or something else?
Also, We did this to be able to use CIDR in our client clauses. We noticed that the handlers used were not what we expected
We had the following clients configured:
<Client 10.23.0.0/16>
IdenticalClients 10.24.0.0/16 172.31.1.0/24
Identifier NST-devices
Secret secret
DupInterval 2
NasType Cisco
SNMPCommunity private
IgnoreAcctSignature 1
</Client>
PreClientHook file:"%D/scripts/acct_adjustment.pl"
<Client 10.24.97.0/24>
IdenticalClients 10.24.238.41,10.24.238.42
Secret secret
Identifier wlan
DupInterval 2
NasType Cisco
SNMPCommunity private
IgnoreAcctSignature 1
</Client>
<Client 10.24.97.50>
IdenticalClients 10.24.97.200,10.24.97.201
Secret secret
Identifier wlan
DupInterval 2
NasType Aruba
SNMPCommunity private
IgnoreAcctSignature 1
</Client>
And these handlers:
<Handler TunnelledByPEAP=1>
#AuthByPolicy ContinueUntilAccept
RewriteUsername s/(.*)\\(.*)/$2/
<AuthBy LSA>
Domain domain
#Group Domain Users
#DomainController zulu
EAPType MSCHAP-V2
</AuthBy>
AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
#PostAuthHook file:"%D/scripts/eap_anon_hook.pl"
PostProcessingHook file:"%D/scripts/eap_acct_username.pl"
</Handler>
<Handler TunnelledByTTLS=1>
#AuthByPolicy ContinueUntilAccept
# Strip realm if in MSN format
RewriteUsername s/(.*)\\(.*)/$2/
#AuthBy LDAPAuthentication
<AuthBy LSA>
Domain domain
#Group Domain Users
#DomainController zulu
EAPType MSCHAP-V2
</AuthBy>
# <AuthBy UNIX>
# GroupFilename %D/group
# # anonymous-PEAP must be in here:
# Filename %D/radauth_pass.wlan
# </AuthBy>
AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
#PostAuthHook file:"%D/scripts/eap_anon_hook.pl"
PostProcessingHook file:"%D/scripts/eap_acct_username.pl"
</Handler>
<Handler Client-Identifier=wlan,Called-Station-Id=/devnet/i>
#AuthByPolicy ContinueUntilAccept
AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}
StripFromRequest Class
<AuthBy FILE>
Filename %D/users
EAPType PEAP,TTLS
EAPTLS_CAFile %D/certificates/production/dc1_ca.cer
EAPTLS_CertificateFile %D/certificates/production/%h_dc1.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/production/%h_dc1.pem
EAPTLS_PrivateKeyPassword secret
EAPTLS_VerifyDepth 3
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
SSLeayTrace 4
EAPTLS_PEAPVersion 1
EAPTLS_PEAPBrokenV1Label
</AuthBy>
#PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"
AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
</Handler>
<Handler Client-Identifier=wlan>
#AuthByPolicy ContinueUntilAccept
AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}
StripFromRequest Class
<AuthBy FILE>
Filename %D/users
EAPType PEAP,TTLS
EAPTLS_CAFile %D/certificates/production/verisign-combo.crt
EAPTLS_CertificateFile %D/certificates/production/%h.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/production/%h.pem
EAPTLS_PrivateKeyPassword secret
EAPTLS_VerifyDepth 3
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
SSLeayTrace 4
EAPTLS_PEAPVersion 1
EAPTLS_PEAPBrokenV1Label
</AuthBy>
#PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"
AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
</Handler>
<Handler Client-Identifier=NST-devices>
AuthByPolicy ContinueUntilAccept
#AuthByPolicy ContinueAlways
#AuthByPolicy ContinueWhileIgnore # Default
<AuthBy UNIX>
#GroupFilename %D/group
Filename %D/passwd.nst
</AuthBy>
#AddToReply Service-Type = "Administrative-User"
#AddToReply cisco-avpair = "shell:priv-lvl=15"
#syslog functions not available on win32
#AuthLog authlogger
# Log accounting to a detail file
AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
</Handler>
And everything seemed to fall to the last handler - NST-devices...we tried moving the Client clause down to be the last client but it made no difference.
While reading the reference manual, it says handlers are evaluated in the order in which they appear in the config. Should we move the TunneledbyPEAP and TunneledbyTTLS below the wlan handler?
Also, We noticed that the install did not copy the dictionary to the directory...should we have done an uninstall and then reinstalled?
Thanks,
Jay and Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20100311/c3996cd9/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radius.cfg
Type: application/octet-stream
Size: 8044 bytes
Desc: radius.cfg
Url : http://www.open.com.au/pipermail/radiator/attachments/20100311/c3996cd9/attachment-0001.obj
More information about the radiator
mailing list