[RADIATOR] EAP errors and config ordering questions

Hugh Irvine hugh at open.com.au
Sun Mar 14 03:01:19 CDT 2010


Hello Justin -

I am guessing you have not installed the Perl module prerequisites Net-SSLeay and/or OpenSSL.

You will find a precompiled package of required modules on our website:

	http://www.open.com.au/radiator/faq.html#141

regards

Hugh


On 12 Mar 2010, at 07:24, McNealy, Justin S wrote:

> Hello,
>  
> We are having an issue with a recent upgrade. We went from 4.2 to 4.6.
>  
> We upgraded one of the servers that primarily handled the accounting and then tested to make sure clients were authenticating ok. Once that was verified, we shut down the Authentication server and allowed the clients to fail over to the server running the new version. That is when we started seeing errors in the logs.
>  
> A google search did not yield any results that explained these errors to our satisfaction.
>  
> Our current  config is attached and some of the errors are below.
>  
> Thu Mar 11 10:24:31 2010: INFO: Access rejected for domain\username: EAP PEAP TLS read failed
> Thu Mar 11 10:24:31 2010: ERR: EAP PEAP TLS read failed:  2004: 1 - error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
>  
> Thu Mar 11 10:24:31 2010: INFO: Access rejected for domain\username: EAP PEAP TLS read failed
> Thu Mar 11 10:24:32 2010: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure: unknown user name or bad password.
> Thu Mar 11 10:24:32 2010: ERR: Could not load EAP module Radius::EAP_152: Can't locate Radius/EAP_152.pm in @INC (@INC contains: . C:/Perl/site/lib C:/Perl/lib .) at (eval 359) line 3.
>  
> Thu Mar 11 10:24:32 2010: INFO: Access rejected for domain\username: Unsupported EAP Request 152
> Thu Mar 11 10:24:32 2010: INFO: Duplicate request id 29 received from 10.24.97.21(32770): ignored
> Thu Mar 11 10:24:37 2010: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure: unknown user name or bad password.
> Thu Mar 11 10:24:37 2010: INFO: Access rejected for anonymous: EAP MSCHAP-V2 Authentication failure
> Thu Mar 11 10:24:37 2010: INFO: Access rejected for anonymous: PEAP Authentication Failure
> Thu Mar 11 10:24:40 2010: ERR: Could not load EAP module Radius::EAP_11: Can't locate Radius/EAP_11.pm in @INC (@INC contains: . C:/Perl/site/lib C:/Perl/lib .) at (eval 437) line 3.
>  
> Thu Mar 11 10:24:40 2010: INFO: Access rejected for anonymous: Unsupported EAP Request 11
> Thu Mar 11 10:24:40 2010: ERR: EAP TLS error: -1, 1, 8465,  2004: 1 - error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
>  
> Thu Mar 11 10:24:40 2010: INFO: Access rejected for host/d-m0: EAP PEAP TLS error
> Thu Mar 11 10:24:40 2010: ERR: Could not load EAP module Radius::EAP_11: Can't locate Radius/EAP_11.pm in @INC (@INC contains: . C:/Perl/site/lib C:/Perl/lib .) at (eval 440) line 3.
>  
> Thu Mar 11 10:24:40 2010: INFO: Access rejected for host/chp-DQD5WF1.domain.local: Unsupported EAP Request 11
> Thu Mar 11 10:24:55 2010: ERR: EAP PEAP TLS read failed:  2004: 1 - error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
>  
> Thu Mar 11 10:24:55 2010: INFO: Access rejected for domain\username: EAP PEAP TLS read failed
> Thu Mar 11 10:24:55 2010: ERR: EAP PEAP TLS read failed:  2004: 1 - error:140D2081:SSL routines:TLS1_ENC:block cipher pad is wrong
>  
> Thu Mar 11 10:25:03 2010: INFO: Access rejected for anonymous: EAP MSCHAP-V2 Authentication failure
> Thu Mar 11 10:25:03 2010: INFO: Access rejected for anonymous: PEAP Authentication Failure
> Thu Mar 11 10:25:08 2010: ERR: EAP PEAP TLS read failed:  2004: 1 - error:140D2081:SSL routines:TLS1_ENC:block cipher pad is wrong
>  
>  
> Thu Mar 11 12:24:18 2010: ERR: EAP TLS error: -1, 1, 8465,  3256: 1 - error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early
> Then we restarted at trace 4:
>  
> Thu Mar 11 11:02:27 2010: DEBUG: Creating accounting port 0.0.0.0:1813
> Thu Mar 11 11:02:27 2010: NOTICE: Server started: Radiator 4.6 on radauth4
>  
> *** Received from 10.24.97.13 port 32770 ....
> Code:       Access-Request
> Identifier: 192
> Authentic:  <232><13>5S<151><174>z<203><146>~<220><202><206>u<127><218>
> Attributes:
>                 User-Name = "domain\username"
>                 Calling-Station-Id = "0010.7a72.3b64"
>                 Called-Station-Id = "0024.c48d.5910:devnet"
>                 NAS-Port = 29
>                 NAS-IP-Address = 10.24.97.13
>                 NAS-Identifier = "wism3a"
>                 Airespace-WLAN-Id = 6
>                 Service-Type = Framed-User
>                 Framed-MTU = 1300
>                 NAS-Port-Type = Wireless-IEEE-802-11
>                 Tunnel-Type = 0:VLAN
>                 Tunnel-Medium-Type = 0:802
>                 Tunnel-Private-Group-ID = 256
>                 EAP-Message = <2><8><0>P<25><0><23><3><1><0><24><214><15><169><192>_\<15><167>O<6>A<153>ws<1>2<183><194><132><21><131><235><173><194><23><3><1><0>(<249><247><131><209>Mw<127>d<143><247><6><190><158><157><183><224>%<211><4>e<150><191>=<13><132>]<197><153><147>\<149><137><235><193>AWH<31><254>[
>                 Message-Authenticator = <239><177>_<203><185>_<246><205>~<167>1Y<211><130><169>i
>  
> Thu Mar 11 12:26:06 2010: DEBUG: Handling request with Handler 'Client-Identifier=wlan,Called-Station-Id=/devnet/i'
> Thu Mar 11 12:26:06 2010: DEBUG:  Deleting session for domain\username, 10.24.97.13, 29
> Thu Mar 11 12:26:06 2010: DEBUG: Handling with Radius::AuthFILE:
> Thu Mar 11 12:26:06 2010: DEBUG: Handling with EAP: code 2, 8, 80, 25
> Thu Mar 11 12:26:06 2010: DEBUG: Response type 25
> Thu Mar 11 12:26:06 2010: DEBUG: EAP TLS SSL_accept result: -1, 1, 8465
> Thu Mar 11 12:26:06 2010: ERR: EAP TLS error: -1, 1, 8465,  1684: 1 - error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
>  
> Thu Mar 11 12:26:06 2010: DEBUG: EAP result: 1, EAP PEAP TLS error
> Thu Mar 11 12:26:06 2010: DEBUG: AuthBy FILE result: REJECT, EAP PEAP TLS error
> Thu Mar 11 12:26:06 2010: INFO: Access rejected for domain\username: EAP PEAP TLS error
> Thu Mar 11 12:26:06 2010: DEBUG: Packet dump:
> *** Sending to 10.24.97.13 port 32770 ....
> Code:       Access-Reject
> Identifier: 192
> Authentic:  <186>G<12>%<212>lr<14><10><199>y<251>hz<1><27>
> Attributes:
>                 EAP-Message = <4><8><0><4>
>                 Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>                 Reply-Message = "Request Denied
>  
>  
> *** Received from 10.24.97.22 port 32770 ....
> Code:       Access-Request
> Identifier: 223
> Authentic:  <142><2><190><146><208>Ak<186><5><232>^<252><177>,@"
> Attributes:
>                 User-Name = "username"
>                 Calling-Station-Id = "d49a.20a0.9ae4"
>                 Called-Station-Id = "0013.60dc.9d60:muscsecure"
>                 NAS-Port = 29
>                 NAS-IP-Address = 10.24.97.22
>                 NAS-Identifier = "wism2b"
>                 Airespace-WLAN-Id = 3
>                 Service-Type = Framed-User
>                 Framed-MTU = 1300
>                 NAS-Port-Type = Wireless-IEEE-802-11
>                 Tunnel-Type = 0:VLAN
>                 Tunnel-Medium-Type = 0:802
>                 Tunnel-Private-Group-ID = 168
>                 EAP-Message = <2><6><0><208><25><129><0><0><0><198><22><3><1><0><134><16><0><0><130><0><128>`<25>7<243><248><0>R<3><26><148>@7<222><164><148><220>!I<24><183><147><159>{8<1><24><166><27>fN<6><<145><255>7k<165><173>+<162><210><132><201><143><166><7>&<232>{oS<216>p<20><236><13>x5\<219>#&1S<21>l<186><7>O<186>=0j<25><203>b_<229><132><0><242>&<133>,<11><243>6<220><209><186>VN<195><129><196><133><238>W<145>,<212>`<253><132>_T<195><19><14>p9<1><26><194>4<227><232><12>M<175>[<189>q3<149><2>V'<20><3><1><0><1><1><22><3><1><0>09<179><21><238><241>T<157>w<234>?<248><154>v<205><172><159><10><148><205><252><200>7<175><143>Q<224><127>l<244>#}<177><167><27>9<206>TF<171>u<9><213>W<225>_<146><215><200>
>                 Message-Authenticator = &<11><232><228><168><134><170>@Lj<223><168><255><184><213>h
>  
> Thu Mar 11 12:26:25 2010: DEBUG: Handling request with Handler 'Client-Identifier=wlan'
> Thu Mar 11 12:26:25 2010: DEBUG:  Deleting session for username, 10.24.97.22, 29
> Thu Mar 11 12:26:25 2010: DEBUG: Handling with Radius::AuthFILE:
> Thu Mar 11 12:26:25 2010: DEBUG: Handling with EAP: code 2, 6, 208, 25
> Thu Mar 11 12:26:25 2010: DEBUG: Response type 25
> Thu Mar 11 12:26:25 2010: DEBUG: EAP TLS SSL_accept result: -1, 1, 8465
> Thu Mar 11 12:26:25 2010: ERR: EAP TLS error: -1, 1, 8465,  1684: 1 - error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message
>  
> Thu Mar 11 12:26:25 2010: DEBUG: EAP result: 1, EAP PEAP TLS error
> Thu Mar 11 12:26:25 2010: DEBUG: AuthBy FILE result: REJECT, EAP PEAP TLS error
> Thu Mar 11 12:26:25 2010: INFO: Access rejected for username: EAP PEAP TLS error
> Thu Mar 11 12:26:25 2010: DEBUG: Packet dump:
> *** Sending to 10.24.97.22 port 32770 ....
> Code:       Access-Reject
> Identifier: 223
> Authentic:  '<21><147><143><128><132><243><158><142><12>yj<12><233><216><181>
> Attributes:
>                 EAP-Message = <4><6><0><4>
>                 Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>                 Reply-Message = "Request Denied"
>  
>  
>  
> Are these due to fast-reconnect and/or session resumption or something else?
>  
> Also, We did this to be able to use CIDR in our client clauses. We noticed that the handlers used were not what we expected
>  
> We had the following clients configured:
>  
> <Client 10.23.0.0/16>
>         IdenticalClients 10.24.0.0/16 172.31.1.0/24
>         Identifier              NST-devices
>         Secret                  secret
>         DupInterval             2
>         NasType                 Cisco
>         SNMPCommunity           private
>         IgnoreAcctSignature     1
> </Client>
>  
> PreClientHook file:"%D/scripts/acct_adjustment.pl"
>  
> <Client 10.24.97.0/24>
>         IdenticalClients 10.24.238.41,10.24.238.42
>         Secret                  secret
>         Identifier              wlan
>         DupInterval             2
>         NasType                 Cisco
>         SNMPCommunity           private
>         IgnoreAcctSignature     1
> </Client>
>  
> <Client 10.24.97.50>
>         IdenticalClients 10.24.97.200,10.24.97.201
>         Secret                  secret
>         Identifier              wlan
>         DupInterval             2
>         NasType                 Aruba
>         SNMPCommunity           private
>         IgnoreAcctSignature     1
> </Client>
>  
> And these handlers:
>  
> <Handler TunnelledByPEAP=1>
>         #AuthByPolicy ContinueUntilAccept
>         RewriteUsername s/(.*)\\(.*)/$2/
>         <AuthBy LSA>
>                 Domain domain
>                 #Group Domain Users
>                 #DomainController zulu
>                 EAPType MSCHAP-V2
>         </AuthBy>
>         AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
>         #PostAuthHook file:"%D/scripts/eap_anon_hook.pl"
>         PostProcessingHook file:"%D/scripts/eap_acct_username.pl"
> </Handler>
>  
> <Handler TunnelledByTTLS=1>
>         #AuthByPolicy ContinueUntilAccept
>  
>       # Strip realm if in MSN format
>       RewriteUsername s/(.*)\\(.*)/$2/
>  
>         #AuthBy LDAPAuthentication
>  
>         <AuthBy LSA>
>                 Domain domain
>                 #Group Domain Users
>                 #DomainController zulu
>                 EAPType MSCHAP-V2
>         </AuthBy>
>  
> #      <AuthBy UNIX>
> #               GroupFilename %D/group
> #               # anonymous-PEAP must be in here:
> #               Filename %D/radauth_pass.wlan
> #       </AuthBy>
>  
>         AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
>         #PostAuthHook file:"%D/scripts/eap_anon_hook.pl"
>         PostProcessingHook file:"%D/scripts/eap_acct_username.pl"
> </Handler>
>  
>  
> <Handler Client-Identifier=wlan,Called-Station-Id=/devnet/i>
>         #AuthByPolicy ContinueUntilAccept
>         AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}
>         StripFromRequest Class
>  
>         <AuthBy FILE>
>                 Filename %D/users
>                 EAPType PEAP,TTLS
>                 EAPTLS_CAFile %D/certificates/production/dc1_ca.cer
>                 EAPTLS_CertificateFile %D/certificates/production/%h_dc1.pem
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile %D/certificates/production/%h_dc1.pem
>                 EAPTLS_PrivateKeyPassword secret
>                 EAPTLS_VerifyDepth 3
>                 EAPTLS_MaxFragmentSize 1000
>                 AutoMPPEKeys
>                 SSLeayTrace 4
>                 EAPTLS_PEAPVersion 1
>                 EAPTLS_PEAPBrokenV1Label
>         </AuthBy>
>  
>         #PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"
>         AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>  
> <Handler Client-Identifier=wlan>
>         #AuthByPolicy ContinueUntilAccept
>         AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}
>         StripFromRequest Class
>  
>         <AuthBy FILE>
>                 Filename %D/users
>                 EAPType PEAP,TTLS
>                 EAPTLS_CAFile %D/certificates/production/verisign-combo.crt
>                 EAPTLS_CertificateFile %D/certificates/production/%h.pem
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile %D/certificates/production/%h.pem
>                 EAPTLS_PrivateKeyPassword secret
>                 EAPTLS_VerifyDepth 3
>                 EAPTLS_MaxFragmentSize 1000
>                 AutoMPPEKeys
>                 SSLeayTrace 4
>                 EAPTLS_PEAPVersion 1
>                 EAPTLS_PEAPBrokenV1Label
>         </AuthBy>
>  
>         #PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"
>         AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>  
>  
> <Handler Client-Identifier=NST-devices>
>         AuthByPolicy ContinueUntilAccept
>         #AuthByPolicy ContinueAlways
>         #AuthByPolicy ContinueWhileIgnore      # Default
>         <AuthBy UNIX>
>                 #GroupFilename %D/group
>                 Filename %D/passwd.nst
>         </AuthBy>
>         #AddToReply Service-Type = "Administrative-User"
>         #AddToReply cisco-avpair = "shell:priv-lvl=15"
>  
>         #syslog functions not available on win32
>         #AuthLog authlogger
>         # Log accounting to a detail file
>         AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>  
> And everything seemed to fall to the last handler - NST-devices…we tried moving the Client clause down to be the last client but it made no difference.
>  
> While reading the reference manual, it says handlers are evaluated in the order in which they appear in the config. Should we move the TunneledbyPEAP and TunneledbyTTLS below the wlan handler?
>  
> Also, We noticed that the install did not copy the dictionary to the directory…should we have done an uninstall and then reinstalled?
>  
> Thanks,
> Jay and Steve
>  
>  
> <radius.cfg>_______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.





More information about the radiator mailing list