[RADIATOR] strange PEAP problems

[Heikki Vatiainen]

On 05/20/2014 03:55 PM, Jakob Schlyter wrote:

> I'm having a very strange PEAP problem that I hope someone on this list can inject some clue into.
> 
> In some cases, PEAP setup times out with:
> 
> EAP TLS error: -1, 1, 8466,  2243: 1 - error:140A1159:SSL routines:SSL_BYTES_TO_CIPHER_LIST:scsv received when renegotiating
> 
> In other cases, everything works just fine.

Hello Jakob,

I think this:
http://tools.ietf.org/html/rfc5746

and EAPTLS_AllowUnsafeLegacyRenegotiation in Radiator reference manual
should provide information about what happens.

Can you tell what the clients are. Are they, for example, all using an
old operating system or EAP client software (supplicant) that does not
have the fix described in the RFC?

> It seems to always work with a small number (1) of intermediate RADIUS proxies in between the originating RADIUS client and the server with the problems, but always fail with more proxies in between. It doesn't matter if the server-to-server protocol is RADIUS or RADSEC.

Hmm, can't say why the number of proxies should matter. However, you
should check you do *not* have 'DupInterval 0' in your configuration.
More proxies might mean there are more retransmissions and if you allow
duplicates, then this can also mess up EAP based (and any other)
authentication. The error is likely not the above, but something other
related to TLS.

> PEAP backend is <AuthBy SQL> if that makes any difference.

That does not matter since this happens during the phase 1, that is, TLS
tunnel establishment.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.