[RADIATOR] issues with wireless eap authentication (tls errors)

Heikki Vatiainen hvn at open.com.au
Wed Sep 26 06:52:18 CDT 2012 

On 09/24/2012 09:11 PM, James Zee wrote:

> I have a handful of Radiator servers that authenticate wireless users.
> Occasionally wireless authentication will fail on a given Radiator
> server. The only thing I've found in the logs that raises eyebrows is this:
> 
> Sep 21 13:59:22 10.136.234.71 Sep 21 13:59:22
> /opt/radiator/radiusd[1497]: EAP PEAP TLS read failed:  1497: 1 -
> error:140D2081:SSL routines:TLS1_ENC:block cipher pad is wrong

Check if you have DupInterval 0, or some non-default very short value
for DupInterval. Many examples in goodies/ have DupInterval set to 0,
but this value should be used for command line debugging and some very
special cases only.

If duplicates are not detected correctly, they can be accepted as new
messages causing e.g. TLS decryption errors.

TLS errors can happen also if messages are dropped or reordered. With
e.g., HTTPS TCP keeps the TLS messages in right order and takes care of
retransmissions. With UDP based RADIUS things can go wrong more easily.

> A reboot or stop / start of the daemon seems to fix the issue. Until the
> daemon has been bounced, however, authentications consistently fail and
> the number of these "block cipher pad is wrong" errors continues to go up.
> 
> I have found very little information when scouring the web in terms of
> what the error means. What causes it? It seems to happen after the
> servers have been on for a few days and authenticated many thousands of
> users. Maybe it's a memory leak of some sort?

If it is a memory leak the process size should be growing. Unfortunately
I am not aware of cases where the errors you are seeing are related to
server uptime.

> This has become extremely sevice impacting. Any thoughts on what may be
> causing this would be greatly appreciated.

I'd check DupInterval and server load. Can your server keep up with PEAP
authentication load?


Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list