[RADIATOR] SSL Error in PEAP conversation

Mon Sep 17 15:31:25 CDT 2012

Two more packet captures ....

https://dl.dropbox.com/u/11681146/rex_ssl_fail_2.pcapng  - Reject Message
in packet # 34962

https://dl.dropbox.com/u/11681146/rex_ssl_fail_3.pcapng  - Reject Message
in packet # 30765

-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-johnson at uiowa.edu

On 9/17/12 1:50 PM, "Johnson, Neil M" <neil-johnson at uiowa.edu> wrote:

>Here is a link to a Wireshark Capture of the RADIUS traffic during The
>users Last event.
>
>He starts the Authentication Request at packet # 8335 and receives the
>reject at packet # 8357.
>
>https://dl.dropbox.com/u/11681146/rex_ssl_fail.pcapng
>
>thanks.
>
>-Neil
>
>
>
>-- 
>Neil Johnson
>Network Engineer
>The University of Iowa
>Phone: 319 384-0938
>Fax: 319 335-2951
>Mobile: 319 540-2081
>E-Mail: neil-johnson at uiowa.edu
>
>
>
>
>
>
>On 9/17/12 12:02 PM, "Johnson, Neil M" <neil-johnson at uiowa.edu> wrote:
>
>>Here is a couple of more log excerpts.
>>
>>
>>-- 
>>Neil Johnson
>>Network Engineer
>>The University of Iowa
>>Phone: 319 384-0938
>>Fax: 319 335-2951
>>Mobile: 319 540-2081
>>E-Mail: neil-johnson at uiowa.edu
>>
>>
>>
>>
>>
>>
>>On 9/17/12 11:13 AM, "Johnson, Neil M" <neil-johnson at uiowa.edu> wrote:
>>
>>>Here's another trace excerpt... (Attached).
>>>
>>>
>>>-- 
>>>Neil Johnson
>>>Network Engineer
>>>The University of Iowa
>>>Phone: 319 384-0938
>>>Fax: 319 335-2951
>>>Mobile: 319 540-2081
>>>E-Mail: neil-johnson at uiowa.edu
>>>
>>>
>>>
>>>
>>>
>>>
>>>On 9/17/12 11:01 AM, "Johnson, Neil M" <neil-johnson at uiowa.edu> wrote:
>>>
>>>>Attached is an extract from the RADIUS log, where the user failed SSL
>>>>authentication...
>>>>
>>>>We are running 4.9 with patches...
>>>>
>>>>
>>>>-- 
>>>>Neil Johnson
>>>>Network Engineer
>>>>The University of Iowa
>>>>Phone: 319 384-0938
>>>>Fax: 319 335-2951
>>>>Mobile: 319 540-2081
>>>>E-Mail: neil-johnson at uiowa.edu
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>On 9/14/12 3:42 PM, "Heikki Vatiainen" <hvn at open.com.au> wrote:
>>>>
>>>>>On 09/14/2012 07:16 PM, Johnson, Neil M wrote:
>>>>>
>>>>>> I have a wireless user who a few times a day gets asked to re-enter
>>>>>>his
>>>>>> credentials on his windows 7 system.  After he re-enters his
>>>>>>credentials
>>>>>> he reconnects fine.  I look in the RADIUS logs and see:
>>>>>> 
>>>>>> Mon Sep 10 17:06:58 2012 757006: ERR: EAP PEAP TLS Handshake
>>>>>> unsuccessful:  4076: 1 - error:14094417:SSL
>>>>>> routines:SSL3_READ_BYTES:sslv3 alert illegal parameter
>>>>>> 
>>>>>> I don't have any more verbose logging at this time (The user is out
>>>>>>of
>>>>>> the office this week), but I was wondering if anyone else had seen
>>>>>>this
>>>>>> error message before.
>>>>>
>>>>>I have seen that just a couple of times but certainly not very often.
>>>>>Trace 4 log would be useful to see what happens during the TLS tunnel
>>>>>setup.
>>>>>
>>>>>There's one PEAP related fix in 4.10 patches. What you see may be
>>>>>related to PEAP fast reconnect aka session resumption. The patch fixes
>>>>>problems with windows clients.
>>>>>
>>>>>The problem does not cause the error you are seeing so it may be
>>>>>related
>>>>>to some other client. However, if you can apply the patch, it might be
>>>>>worth trying.
>>>>>
>>>>>Thanks,
>>>>>Heikki
>>>>>
>>>>>-- 
>>>>>Heikki Vatiainen <hvn at open.com.au>
>>>>>
>>>>>Radiator: the most portable, flexible and configurable RADIUS server
>>>>>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>>>>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
>>>>>TLS,
>>>>>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>>>>>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>>>>>NetWare etc.
>>>>>_______________________________________________
>>>>>radiator mailing list
>>>>>radiator at open.com.au
>>>>>http://www.open.com.au/mailman/listinfo/radiator
>>>>
>>>
>>
>