[RADIATOR] EAP errors and config ordering questions
McNealy, Justin S
mcnealy at musc.edu
Mon Mar 15 07:25:35 CDT 2010
Hugh,
From the look of our query's we have the mod installed. We also see devices that were denied get accepted the next authentication attempt.
Also did you see our question about CIDR and the client clause?
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Users\ >ppm query
Usage: ppm query <pattern>
Run 'ppm help query' to learn more.
C:\Users\ >ppm query net*
┌──────────┬────────┬────────────────────────────────────────────────────┬────┐
│name │version │abstract │area│
├──────────┼────────┼────────────────────────────────────────────────────┼────┤
│Net-SSLeay│1.32.0.1│Perl extension for using OpenSSL. Includes OpenSSL >│site│
└──────────┴────────┴────────────────────────────────────────────────────┴────┘
(1 package installed matching 'net*')
C:\Users\ >ppm query open*
*** no packages installed matching 'open*' ***
C:\Users\ >ppm query ssl*
*** no packages installed matching 'ssl*' ***
C:\Users\> ppm query SSL
┌──────────┬────────┬────────────────────────────────────────────────────┬────┐
│name │version │abstract │area│
├──────────┼────────┼────────────────────────────────────────────────────┼────┤
│Net-SSLeay│1.32.0.1│Perl extension for using OpenSSL. Includes OpenSSL >│site│
└──────────┴────────┴────────────────────────────────────────────────────┴────┘
(1 package installed matching 'SSL')
Thanks
Jay and Steve
-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Sunday, March 14, 2010 4:01 AM
To: McNealy, Justin S
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] EAP errors and config ordering questions
Hello Justin -
I am guessing you have not installed the Perl module prerequisites Net-SSLeay and/or OpenSSL.
You will find a precompiled package of required modules on our website:
http://www.open.com.au/radiator/faq.html#141
regards
Hugh
On 12 Mar 2010, at 07:24, McNealy, Justin S wrote:
> Hello,
>
> We are having an issue with a recent upgrade. We went from 4.2 to 4.6.
>
> We upgraded one of the servers that primarily handled the accounting and then tested to make sure clients were authenticating ok. Once that was verified, we shut down the Authentication server and allowed the clients to fail over to the server running the new version. That is when we started seeing errors in the logs.
>
> A google search did not yield any results that explained these errors to our satisfaction.
>
> Our current config is attached and some of the errors are below.
>
> Thu Mar 11 10:24:31 2010: INFO: Access rejected for domain\username:
> EAP PEAP TLS read failed Thu Mar 11 10:24:31 2010: ERR: EAP PEAP TLS
> read failed: 2004: 1 - error:1408F119:SSL
> routines:SSL3_GET_RECORD:decryption failed or bad record mac
>
> Thu Mar 11 10:24:31 2010: INFO: Access rejected for domain\username:
> EAP PEAP TLS read failed Thu Mar 11 10:24:32 2010: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure: unknown user name or bad password.
> Thu Mar 11 10:24:32 2010: ERR: Could not load EAP module Radius::EAP_152: Can't locate Radius/EAP_152.pm in @INC (@INC contains: . C:/Perl/site/lib C:/Perl/lib .) at (eval 359) line 3.
>
> Thu Mar 11 10:24:32 2010: INFO: Access rejected for domain\username:
> Unsupported EAP Request 152 Thu Mar 11 10:24:32 2010: INFO: Duplicate
> request id 29 received from 10.24.97.21(32770): ignored Thu Mar 11 10:24:37 2010: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure: unknown user name or bad password.
> Thu Mar 11 10:24:37 2010: INFO: Access rejected for anonymous: EAP
> MSCHAP-V2 Authentication failure Thu Mar 11 10:24:37 2010: INFO:
> Access rejected for anonymous: PEAP Authentication Failure Thu Mar 11 10:24:40 2010: ERR: Could not load EAP module Radius::EAP_11: Can't locate Radius/EAP_11.pm in @INC (@INC contains: . C:/Perl/site/lib C:/Perl/lib .) at (eval 437) line 3.
>
> Thu Mar 11 10:24:40 2010: INFO: Access rejected for anonymous:
> Unsupported EAP Request 11 Thu Mar 11 10:24:40 2010: ERR: EAP TLS
> error: -1, 1, 8465, 2004: 1 - error:140940F5:SSL
> routines:SSL3_READ_BYTES:unexpected record
>
> Thu Mar 11 10:24:40 2010: INFO: Access rejected for host/d-m0: EAP
> PEAP TLS error Thu Mar 11 10:24:40 2010: ERR: Could not load EAP module Radius::EAP_11: Can't locate Radius/EAP_11.pm in @INC (@INC contains: . C:/Perl/site/lib C:/Perl/lib .) at (eval 440) line 3.
>
> Thu Mar 11 10:24:40 2010: INFO: Access rejected for
> host/chp-DQD5WF1.domain.local: Unsupported EAP Request 11 Thu Mar 11
> 10:24:55 2010: ERR: EAP PEAP TLS read failed: 2004: 1 -
> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
> record mac
>
> Thu Mar 11 10:24:55 2010: INFO: Access rejected for domain\username:
> EAP PEAP TLS read failed Thu Mar 11 10:24:55 2010: ERR: EAP PEAP TLS
> read failed: 2004: 1 - error:140D2081:SSL routines:TLS1_ENC:block
> cipher pad is wrong
>
> Thu Mar 11 10:25:03 2010: INFO: Access rejected for anonymous: EAP
> MSCHAP-V2 Authentication failure Thu Mar 11 10:25:03 2010: INFO:
> Access rejected for anonymous: PEAP Authentication Failure Thu Mar 11
> 10:25:08 2010: ERR: EAP PEAP TLS read failed: 2004: 1 -
> error:140D2081:SSL routines:TLS1_ENC:block cipher pad is wrong
>
>
> Thu Mar 11 12:24:18 2010: ERR: EAP TLS error: -1, 1, 8465, 3256: 1 -
> error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early Then we restarted at trace 4:
>
> Thu Mar 11 11:02:27 2010: DEBUG: Creating accounting port 0.0.0.0:1813
> Thu Mar 11 11:02:27 2010: NOTICE: Server started: Radiator 4.6 on
> radauth4
>
> *** Received from 10.24.97.13 port 32770 ....
> Code: Access-Request
> Identifier: 192
> Authentic:
> <232><13>5S<151><174>z<203><146>~<220><202><206>u<127><218>
> Attributes:
> User-Name = "domain\username"
> Calling-Station-Id = "0010.7a72.3b64"
> Called-Station-Id = "0024.c48d.5910:devnet"
> NAS-Port = 29
> NAS-IP-Address = 10.24.97.13
> NAS-Identifier = "wism3a"
> Airespace-WLAN-Id = 6
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 256
> EAP-Message = <2><8><0>P<25><0><23><3><1><0><24><214><15><169><192>_\<15><167>O<6>A<153>ws<1>2<183><194><132><21><131><235><173><194><23><3><1><0>(<249><247><131><209>Mw<127>d<143><247><6><190><158><157><183><224>%<211><4>e<150><191>=<13><132>]<197><153><147>\<149><137><235><193>AWH<31><254>[
> Message-Authenticator =
> <239><177>_<203><185>_<246><205>~<167>1Y<211><130><169>i
>
> Thu Mar 11 12:26:06 2010: DEBUG: Handling request with Handler 'Client-Identifier=wlan,Called-Station-Id=/devnet/i'
> Thu Mar 11 12:26:06 2010: DEBUG: Deleting session for
> domain\username, 10.24.97.13, 29 Thu Mar 11 12:26:06 2010: DEBUG: Handling with Radius::AuthFILE:
> Thu Mar 11 12:26:06 2010: DEBUG: Handling with EAP: code 2, 8, 80, 25
> Thu Mar 11 12:26:06 2010: DEBUG: Response type 25 Thu Mar 11 12:26:06
> 2010: DEBUG: EAP TLS SSL_accept result: -1, 1, 8465 Thu Mar 11
> 12:26:06 2010: ERR: EAP TLS error: -1, 1, 8465, 1684: 1 -
> error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
>
> Thu Mar 11 12:26:06 2010: DEBUG: EAP result: 1, EAP PEAP TLS error Thu
> Mar 11 12:26:06 2010: DEBUG: AuthBy FILE result: REJECT, EAP PEAP TLS
> error Thu Mar 11 12:26:06 2010: INFO: Access rejected for
> domain\username: EAP PEAP TLS error Thu Mar 11 12:26:06 2010: DEBUG: Packet dump:
> *** Sending to 10.24.97.13 port 32770 ....
> Code: Access-Reject
> Identifier: 192
> Authentic: <186>G<12>%<212>lr<14><10><199>y<251>hz<1><27>
> Attributes:
> EAP-Message = <4><8><0><4>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied
>
>
> *** Received from 10.24.97.22 port 32770 ....
> Code: Access-Request
> Identifier: 223
> Authentic: <142><2><190><146><208>Ak<186><5><232>^<252><177>,@"
> Attributes:
> User-Name = "username"
> Calling-Station-Id = "d49a.20a0.9ae4"
> Called-Station-Id = "0013.60dc.9d60:muscsecure"
> NAS-Port = 29
> NAS-IP-Address = 10.24.97.22
> NAS-Identifier = "wism2b"
> Airespace-WLAN-Id = 3
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 168
> EAP-Message = <2><6><0><208><25><129><0><0><0><198><22><3><1><0><134><16><0><0><130><0><128>`<25>7<243><248><0>R<3><26><148>@7<222><164><148><220>!I<24><183><147><159>{8<1><24><166><27>fN<6><<145><255>7k<165><173>+<162><210><132><201><143><166><7>&<232>{oS<216>p<20><236><13>x5\<219>#&1S<21>l<186><7>O<186>=0j<25><203>b_<229><132><0><242>&<133>,<11><243>6<220><209><186>VN<195><129><196><133><238>W<145>,<212>`<253><132>_T<195><19><14>p9<1><26><194>4<227><232><12>M<175>[<189>q3<149><2>V'<20><3><1><0><1><1><22><3><1><0>09<179><21><238><241>T<157>w<234>?<248><154>v<205><172><159><10><148><205><252><200>7<175><143>Q<224><127>l<244>#}<177><167><27>9<206>TF<171>u<9><213>W<225>_<146><215><200>
> Message-Authenticator =
> &<11><232><228><168><134><170>@Lj<223><168><255><184><213>h
>
> Thu Mar 11 12:26:25 2010: DEBUG: Handling request with Handler 'Client-Identifier=wlan'
> Thu Mar 11 12:26:25 2010: DEBUG: Deleting session for username,
> 10.24.97.22, 29 Thu Mar 11 12:26:25 2010: DEBUG: Handling with Radius::AuthFILE:
> Thu Mar 11 12:26:25 2010: DEBUG: Handling with EAP: code 2, 6, 208, 25
> Thu Mar 11 12:26:25 2010: DEBUG: Response type 25 Thu Mar 11 12:26:25
> 2010: DEBUG: EAP TLS SSL_accept result: -1, 1, 8465 Thu Mar 11
> 12:26:25 2010: ERR: EAP TLS error: -1, 1, 8465, 1684: 1 -
> error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message
>
> Thu Mar 11 12:26:25 2010: DEBUG: EAP result: 1, EAP PEAP TLS error Thu
> Mar 11 12:26:25 2010: DEBUG: AuthBy FILE result: REJECT, EAP PEAP TLS
> error Thu Mar 11 12:26:25 2010: INFO: Access rejected for username:
> EAP PEAP TLS error Thu Mar 11 12:26:25 2010: DEBUG: Packet dump:
> *** Sending to 10.24.97.22 port 32770 ....
> Code: Access-Reject
> Identifier: 223
> Authentic:
> '<21><147><143><128><132><243><158><142><12>yj<12><233><216><181>
> Attributes:
> EAP-Message = <4><6><0><4>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
>
>
>
> Are these due to fast-reconnect and/or session resumption or something else?
>
> Also, We did this to be able to use CIDR in our client clauses. We
> noticed that the handlers used were not what we expected
>
> We had the following clients configured:
>
> <Client 10.23.0.0/16>
> IdenticalClients 10.24.0.0/16 172.31.1.0/24
> Identifier NST-devices
> Secret secret
> DupInterval 2
> NasType Cisco
> SNMPCommunity private
> IgnoreAcctSignature 1
> </Client>
>
> PreClientHook file:"%D/scripts/acct_adjustment.pl"
>
> <Client 10.24.97.0/24>
> IdenticalClients 10.24.238.41,10.24.238.42
> Secret secret
> Identifier wlan
> DupInterval 2
> NasType Cisco
> SNMPCommunity private
> IgnoreAcctSignature 1
> </Client>
>
> <Client 10.24.97.50>
> IdenticalClients 10.24.97.200,10.24.97.201
> Secret secret
> Identifier wlan
> DupInterval 2
> NasType Aruba
> SNMPCommunity private
> IgnoreAcctSignature 1
> </Client>
>
> And these handlers:
>
> <Handler TunnelledByPEAP=1>
> #AuthByPolicy ContinueUntilAccept
> RewriteUsername s/(.*)\\(.*)/$2/
> <AuthBy LSA>
> Domain domain
> #Group Domain Users
> #DomainController zulu
> EAPType MSCHAP-V2
> </AuthBy>
> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> #PostAuthHook file:"%D/scripts/eap_anon_hook.pl"
> PostProcessingHook file:"%D/scripts/eap_acct_username.pl"
> </Handler>
>
> <Handler TunnelledByTTLS=1>
> #AuthByPolicy ContinueUntilAccept
>
> # Strip realm if in MSN format
> RewriteUsername s/(.*)\\(.*)/$2/
>
> #AuthBy LDAPAuthentication
>
> <AuthBy LSA>
> Domain domain
> #Group Domain Users
> #DomainController zulu
> EAPType MSCHAP-V2
> </AuthBy>
>
> # <AuthBy UNIX>
> # GroupFilename %D/group
> # # anonymous-PEAP must be in here:
> # Filename %D/radauth_pass.wlan
> # </AuthBy>
>
> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> #PostAuthHook file:"%D/scripts/eap_anon_hook.pl"
> PostProcessingHook file:"%D/scripts/eap_acct_username.pl"
> </Handler>
>
>
> <Handler Client-Identifier=wlan,Called-Station-Id=/devnet/i>
> #AuthByPolicy ContinueUntilAccept
> AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}
> StripFromRequest Class
>
> <AuthBy FILE>
> Filename %D/users
> EAPType PEAP,TTLS
> EAPTLS_CAFile %D/certificates/production/dc1_ca.cer
> EAPTLS_CertificateFile %D/certificates/production/%h_dc1.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/production/%h_dc1.pem
> EAPTLS_PrivateKeyPassword secret
> EAPTLS_VerifyDepth 3
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> SSLeayTrace 4
> EAPTLS_PEAPVersion 1
> EAPTLS_PEAPBrokenV1Label
> </AuthBy>
>
> #PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"
> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>
> <Handler Client-Identifier=wlan>
> #AuthByPolicy ContinueUntilAccept
> AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}
> StripFromRequest Class
>
> <AuthBy FILE>
> Filename %D/users
> EAPType PEAP,TTLS
> EAPTLS_CAFile %D/certificates/production/verisign-combo.crt
> EAPTLS_CertificateFile %D/certificates/production/%h.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/production/%h.pem
> EAPTLS_PrivateKeyPassword secret
> EAPTLS_VerifyDepth 3
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> SSLeayTrace 4
> EAPTLS_PEAPVersion 1
> EAPTLS_PEAPBrokenV1Label
> </AuthBy>
>
> #PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"
> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>
>
> <Handler Client-Identifier=NST-devices>
> AuthByPolicy ContinueUntilAccept
> #AuthByPolicy ContinueAlways
> #AuthByPolicy ContinueWhileIgnore # Default
> <AuthBy UNIX>
> #GroupFilename %D/group
> Filename %D/passwd.nst
> </AuthBy>
> #AddToReply Service-Type = "Administrative-User"
> #AddToReply cisco-avpair = "shell:priv-lvl=15"
>
> #syslog functions not available on win32
> #AuthLog authlogger
> # Log accounting to a detail file
> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>
> And everything seemed to fall to the last handler - NST-devices...we tried moving the Client clause down to be the last client but it made no difference.
>
> While reading the reference manual, it says handlers are evaluated in the order in which they appear in the config. Should we move the TunneledbyPEAP and TunneledbyTTLS below the wlan handler?
>
> Also, We noticed that the install did not copy the dictionary to the directory...should we have done an uninstall and then reinstalled?
>
> Thanks,
> Jay and Steve
>
>
> <radius.cfg>_______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec), and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list