[RADIATOR] SSL Errors

Heikki Vatiainen hvn at open.com.au
Fri Sep 9 04:08:40 CDT 2011


On 09/08/2011 11:39 PM, Johnson, Neil M wrote:

Hello Neil,

> I should point out the PEAP authentication is working for most cleints.

The errors come from SSL layer. The authentication messages from the
clients are getting corrupted somewhere. So this is a problem between
the client and Radiator and does not concern your AD infrastructure.

Working back from Radiator towards the authenticating client there are a
number of possibilities that can cause this.

Radiator has problems handling all incoming requests. Some requests get
dropped from the incoming OS UDP queue and the TLS tunnels from the
authenticating clients to Radiator start experiencing problems. TLS was
designed for TCP (reliable transport), so I am not surprised if it has
problems with unreliable transport (lost, duplicated, corrupted, out of
order) UDP provides.

For the configuration you could try setting EAPTLS_MaxFragmentSize to
1000. See Radiator reference manual section "5.19.35
EAPTLS_MaxFragmentSize". If the error messages are caused by NASes that
have problems with fragments, this might help.

The OpenSSL libraries and Perl Net-SSLeay module Radiator uses may be
buggy. I do not think this is the most likely cause though. Errors such
as "decryption failed" and "block cipher pad is wrong" indicate
corrupted messages.

If you have load balancers, either dedicated devices or Radiator doing
proxying and load balancing, these can easily cause problems with EAP
authentication. When e.g, PEAP establishes TLS tunnel from the client to
authenticating RADIUS server, the load balancers need to keep related
EAP packets together so that the traffic is always proxied to the same
RADIUS server.

Please see discussion in the reference manual about AuthBy EAPBALANCE.
There is more about how to properly do load balancing with EAP
authentication using Radiator.

The next step is to check the NASes. The first item,
EAPTLS_MaxFragmentSize setting, relates to NASes, but there might be a
device (WLAN AP or controller) that is having problems and is corrupting
EAP messages from the authenticating client.

To catch these, run Radiator with Trace 4 and use Called-Station-Id,
Calling-Station-Id, NAS-IP-Address and other attributes from the request
to see where the corrupted requests came from.

Finally the problem may be with the authenticating client. Trace 4
should help here too. You can collect the Calling-Station-Id information
from the corrupted requests and see if the prolems occurs with the same
MAC address.

Finally, I have noticed there errors can show up even if everything
works as expected. However, the percentage of errors should be very
small compared to the total number of authentication messages.

You wrote about thousands of messages, and that sounds a little too much.

Thanks!
Heikki


> ------------------------------------------------------------------------
> *From:* radiator-bounces at open.com.au [radiator-bounces at open.com.au] on
> behalf of Johnson, Neil M [neil-johnson at uiowa.edu]
> *Sent:* Thursday, September 08, 2011 2:19 PM
> *To:* radiator at open.com.au
> *Subject:* [RADIATOR] SSL Errors
> 
> We are seeing thousands of these errors over a 24 hour period. What do
> they indicate and what should be troubleshooting? We are running the
> latest RADIATOR on Windows Server 2008 R2 SP1 64-bit.
> 
> Is it an issue between the client and RADIATOR or our Active Directory
> Infrastructure?
> 
> Is there any documentation that provides insight into these errors?
> 
> We do have support for RADIATOR under uiowa.edu
> 
> Thanks.
> 
> -Neil
> 
> Wed Sep 7 18:16:12 2011: ERR: EAP TLS error: -1, 1, 8608, 3068: 1 -
> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
> record mac
> 
> Wed Sep 7 18:16:12 2011: ERR: EAP PEAP TLS read failed: 3068: 1 -
> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
> record mac
> 
> Wed Sep 7 18:16:12 2011: ERR: EAP TLS error: -1, 1, 8576, 3068: 1 -
> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> 
> Wed Sep 7 18:16:12 2011: ERR: EAP PEAP TLS read failed: 3068: 1 -
> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
> record mac
> 
> Wed Sep 7 18:16:13 2011: ERR: EAP PEAP TLS read failed: 3068: 1 -
> error:140D2081:SSL routines:TLS1_ENC:block cipher pad is wrong
> 
> Wed Sep 7 18:16:13 2011: ERR: EAP PEAP TLS read failed: 3068: 1 -
> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
> record mac
> 
> Wed Sep 7 18:16:13 2011: ERR: EAP PEAP TLS read failed: 3068: 1 -
> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
> record mac
> 
> Wed Sep 7 18:16:13 2011: ERR: EAP TLS error: -1, 1, 8465, 3068: 1 -
> error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
> 
> Wed Sep 7 18:16:13 2011: ERR: EAP TLS error: -1, 1, 8465, 3068: 1 -
> error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
> 
> Wed Sep 7 18:16:13 2011: ERR: EAP PEAP TLS read failed: 3068: 1 -
> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
> record mac
> 
> Wed Sep 7 18:16:13 2011: ERR: EAP TLS error: -1, 1, 8465, 3068: 1 -
> error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list