[RADIATOR] SSL Errors

Johnson, Neil M neil-johnson at uiowa.edu
Fri Sep 9 15:09:57 CDT 2011 

Heikki,

Thanks. We do have EAPTLS_MaxFragmentSize set to 1000.

We have a lot of SQL requests going on in processing hooks that maybe
causing the problem.

Thanks.
-Neil

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-johnson at uiowa.edu






On 9/9/11 4:08 AM, "Heikki Vatiainen" <hvn at open.com.au> wrote:

>On 09/08/2011 11:39 PM, Johnson, Neil M wrote:
>
>Hello Neil,
>
>> I should point out the PEAP authentication is working for most cleints.
>
>The errors come from SSL layer. The authentication messages from the
>clients are getting corrupted somewhere. So this is a problem between
>the client and Radiator and does not concern your AD infrastructure.
>
>Working back from Radiator towards the authenticating client there are a
>number of possibilities that can cause this.
>
>Radiator has problems handling all incoming requests. Some requests get
>dropped from the incoming OS UDP queue and the TLS tunnels from the
>authenticating clients to Radiator start experiencing problems. TLS was
>designed for TCP (reliable transport), so I am not surprised if it has
>problems with unreliable transport (lost, duplicated, corrupted, out of
>order) UDP provides.
>
>For the configuration you could try setting EAPTLS_MaxFragmentSize to
>1000. See Radiator reference manual section "5.19.35
>EAPTLS_MaxFragmentSize". If the error messages are caused by NASes that
>have problems with fragments, this might help.
>
>The OpenSSL libraries and Perl Net-SSLeay module Radiator uses may be
>buggy. I do not think this is the most likely cause though. Errors such
>as "decryption failed" and "block cipher pad is wrong" indicate
>corrupted messages.
>
>If you have load balancers, either dedicated devices or Radiator doing
>proxying and load balancing, these can easily cause problems with EAP
>authentication. When e.g, PEAP establishes TLS tunnel from the client to
>authenticating RADIUS server, the load balancers need to keep related
>EAP packets together so that the traffic is always proxied to the same
>RADIUS server.
>
>Please see discussion in the reference manual about AuthBy EAPBALANCE.
>There is more about how to properly do load balancing with EAP
>authentication using Radiator.
>
>The next step is to check the NASes. The first item,
>EAPTLS_MaxFragmentSize setting, relates to NASes, but there might be a
>device (WLAN AP or controller) that is having problems and is corrupting
>EAP messages from the authenticating client.
>
>To catch these, run Radiator with Trace 4 and use Called-Station-Id,
>Calling-Station-Id, NAS-IP-Address and other attributes from the request
>to see where the corrupted requests came from.
>
>Finally the problem may be with the authenticating client. Trace 4
>should help here too. You can collect the Calling-Station-Id information
>from the corrupted requests and see if the prolems occurs with the same
>MAC address.
>
>Finally, I have noticed there errors can show up even if everything
>works as expected. However, the percentage of errors should be very
>small compared to the total number of authentication messages.
>
>You wrote about thousands of messages, and that sounds a little too much.
>
>Thanks!
>Heikki
>
>
>> ------------------------------------------------------------------------
>> *From:* radiator-bounces at open.com.au [radiator-bounces at open.com.au] on
>> behalf of Johnson, Neil M [neil-johnson at uiowa.edu]
>> *Sent:* Thursday, September 08, 2011 2:19 PM
>> *To:* radiator at open.com.au
>> *Subject:* [RADIATOR] SSL Errors
>> 
>> We are seeing thousands of these errors over a 24 hour period. What do
>> they indicate and what should be troubleshooting? We are running the
>> latest RADIATOR on Windows Server 2008 R2 SP1 64-bit.
>> 
>> Is it an issue between the client and RADIATOR or our Active Directory
>> Infrastructure?
>> 
>> Is there any documentation that provides insight into these errors?
>> 
>> We do have support for RADIATOR under uiowa.edu
>> 
>> Thanks.
>> 
>> -Neil
>> 
>> Wed Sep 7 18:16:12 2011: ERR: EAP TLS error: -1, 1, 8608, 3068: 1 -
>> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
>> record mac
>> 
>> Wed Sep 7 18:16:12 2011: ERR: EAP PEAP TLS read failed: 3068: 1 -
>> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
>> record mac
>> 
>> Wed Sep 7 18:16:12 2011: ERR: EAP TLS error: -1, 1, 8576, 3068: 1 -
>> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>> 
>> Wed Sep 7 18:16:12 2011: ERR: EAP PEAP TLS read failed: 3068: 1 -
>> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
>> record mac
>> 
>> Wed Sep 7 18:16:13 2011: ERR: EAP PEAP TLS read failed: 3068: 1 -
>> error:140D2081:SSL routines:TLS1_ENC:block cipher pad is wrong
>> 
>> Wed Sep 7 18:16:13 2011: ERR: EAP PEAP TLS read failed: 3068: 1 -
>> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
>> record mac
>> 
>> Wed Sep 7 18:16:13 2011: ERR: EAP PEAP TLS read failed: 3068: 1 -
>> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
>> record mac
>> 
>> Wed Sep 7 18:16:13 2011: ERR: EAP TLS error: -1, 1, 8465, 3068: 1 -
>> error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
>> 
>> Wed Sep 7 18:16:13 2011: ERR: EAP TLS error: -1, 1, 8465, 3068: 1 -
>> error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
>> 
>> Wed Sep 7 18:16:13 2011: ERR: EAP PEAP TLS read failed: 3068: 1 -
>> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
>> record mac
>> 
>> Wed Sep 7 18:16:13 2011: ERR: EAP TLS error: -1, 1, 8465, 3068: 1 -
>> error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
>> 
>> 
>> 
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>-- 
>Heikki Vatiainen <hvn at open.com.au>
>
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>NetWare etc.

More information about the radiator mailing list