[RADIATOR] tlsv1 errors

Alex Sharaz A.Sharaz at hull.ac.uk
Tue Jul 10 10:15:41 CDT 2012 

Fixed!!!

It transpires that the problem was down to our student windows 7 image. We used to use XpressConnect to setup all our staff/student images but moved over to using group,policies and  a couple of scripts for various reasons. Unfortunately the CA intermediate and root certs weren't installed on the client machines so they couldn't verify our eduroam.hull.c.uk cert.

As soon as the CAs were installed on the client, everything sprang into life

Rgds
Alex

________________________________
From: radiator-bounces at open.com.au [radiator-bounces at open.com.au] on behalf of Alex Sharaz [A.Sharaz at hull.ac.uk]
Sent: 09 July 2012 16:10
To: radiator at open.com.au
Subject: [RADIATOR] tlsv1 errors

Hi,
I'me seeing loads of

Wed Apr 18 02:13:42 2012: ERR: EAP PEAP TLS read failed:  1116: 1 - error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied

Wed Apr 18 02:15:15 2012: ERR: EAP PEAP TLS read failed:  1116: 1 - error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied

Wed Apr 18 02:16:48 2012: ERR: EAP PEAP TLS read failed:  1116: 1 - error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied

Wed Apr 18 02:18:21 2012: ERR: EAP PEAP TLS read failed:  1116: 1 - error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied

errors on all of my Radiator V4.9 ( and 1 4.10) fully patched servers running on Windows 2008R2 servers configured to authenticate agains our AD system using
AuthBy LSA

looking in my eaplog file I can see

Jul  9, 2012 15:51 :  clientip=150.237.85.206 nasIP=150.237.253.140 nasPort=30 user=ADIR\adsmt3 result=OK
Jul  9, 2012 15:51 :  clientip= nasIP=150.237.251.30 nasPort=3 user=anonymous result=OK
Jul  9, 2012 15:51 : EAP PEAP TLS read failed clientip=150.237.85.206 nasIP=150.237.251.83 nasPort=39 user=ADIR\408859 result=FAIL
Jul  9, 2012 15:51 :  clientip=150.237.85.206 nasIP=150.237.251.30 nasPort=3 user=ADIR\381760 result=OK
Jul  9, 2012 15:52 :  clientip= nasIP=150.237.251.81 nasPort=8 user=anonymous result=OK
Jul  9, 2012 15:52 :  clientip=150.237.85.206 nasIP=150.237.251.81 nasPort=8 user=ADIR\433918 result=OK
Jul  9, 2012 15:52 : EAP PEAP TLS read failed clientip=150.237.85.206 nasIP=150.237.251.83 nasPort=21 user=ADIR\430746 result=FAIL
Jul  9, 2012 15:52 :  clientip= nasIP=150.237.175.164 nasPort=11 user=anonymous result=OK


So I've got one batch of people authenticating just fine and another lot that keep failing. As I run a load balanced service with multiple back end Radiator AD servers, shutting down one that seems to be seeing lots of problems just moves the auth failures over to another Radiator server.

I'm currently trying to figure out whether all the failures are associated with one of our University built images  but would really appreciate any hints as to what "tlsv1 alert access denied" actually means

Rgds
Alex

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120710/c183bab7/attachment.html 
-------------- next part --------------
**************************************************
To view the terms under which this email is 
distributed, please go to 
http://www2.hull.ac.uk/legal/disclaimer.aspx
**************************************************

More information about the radiator mailing list