[RADIATOR] Problem with Radsec connections
Pedro Simões
psimoes at fccn.pt
Thu Oct 31 16:23:11 UTC 2019
Dear All,
After an upgrade from a VM to a physical machine, we started having
problems with Radsec on Radiator (This is Radiator 4.23).
>From what we have managed to find, when we try to start a connection to
a remote Radsec radius the first steps occurs, and we receive a reply.
At the second communication, when we tries to send the public part of
our certificate an error occurs.
On our Radiator we have the following message, referring a Net::SSLeay
error:
Wed Oct 30 03:38:28 2019 698096: ERR: StreamTLS could not create SSL:
Net::SSLeay::new failed: 284759: 1 - error:140BA0C3:SSL
routines:SSL_new:null ssl ctx
,Inappropriate ioctl for device
This comes from the following real authentication example:
Wed Oct 30 03:38:28 2019 672988: DEBUG: Resolver found SRV record for
realm alunos.ipb.pt: _radsec._tcp.alunos.ipb.pt. 900 IN SRV 0 0 2083
earth.ipb.pt.
Wed Oct 30 03:38:28 2019 673180: DEBUG: Resolver doing A lookup for
earth.ipb.pt, Protocol radius Transport tcp UseTLS 1 Order 100
Preference 10 Port 2083 Priority 0 Weight 0 SRVName
_radsec._tcp.alunos.ipb.pt
Wed Oct 30 03:38:28 2019 673672: DEBUG: Resolver doing AAAA lookup for
earth.ipb.pt, Protocol radius Transport tcp UseTLS 1 Order 100
Preference 10 Port 2083 Priority 0 Weight 0 SRVName
_radsec._tcp.alunos.ipb
.pt
Wed Oct 30 03:38:28 2019 681964: DEBUG: Resolver found A record for
realm alunos.ipb.pt: earth.ipb.pt. 900 IN A 193.136.195.229
Wed Oct 30 03:38:28 2019 683293: DEBUG: Resolver found AAAA record for
realm alunos.ipb.pt: earth.ipb.pt. 900 IN AAAA 2001:690:22c0:201::229
Wed Oct 30 03:38:28 2019 683544: DEBUG: AuthDNSROAM: Discovered server
for alunos.ipb.pt: earth.ipb.pt(193.136.195.229):2083, radius, tcp, 1,
_radsec._tcp.alunos.ipb.pt
Wed Oct 30 03:38:28 2019 683698: INFO: AuthBy DNSROAM adding new target
for alunos.ipb.pt
Wed Oct 30 03:38:28 2019 685243: DEBUG: Handling with Radius::AuthRADSEC
Wed Oct 30 03:38:28 2019 686333: DEBUG: Stream attempting tcp connection
to 193.136.195.229 (193.136.195.229:2083)
Wed Oct 30 03:38:28 2019 686551: DEBUG: Stream connection in progress to
193.136.195.229 (193.136.195.229:2083)
Wed Oct 30 03:38:28 2019 687210: DEBUG: Packet dump:
*** Sending request to RadSec localhost (193.136.195.229:2083) ....
Code: Access-Request
Identifier: 1
Authentic: <197>I<228><161><149>thbV3<134>$<26><148><210>9
Attributes:
... (hided )
Wed Oct 30 03:38:28 2019 697459: DEBUG: Stream connected to localhost
(193.136.195.229:2083)
Wed Oct 30 03:38:28 2019 697725: DEBUG: StreamTLS sessionInit for
localhost
Wed Oct 30 03:38:28 2019 698096: ERR: StreamTLS could not create SSL:
Net::SSLeay::new failed: 284759: 1 - error:140BA0C3:SSL
routines:SSL_new:null ssl ctx
,Inappropriate ioctl for device
There is some strange thing that we have found. The connection first is
sent to 193.136.195.229 and after that is referred as localhost
(localhost (193.136.195.229:2083)).
Our DNS servers resolves everything fine, as the logs shows, and the
connection is sent to the correct Radius server (confirmed by us).
On the opposite side, when we receive a connection from a Radsec server
everything works fine, without any problem.
Our certificate is working fine on our secondary server, on a VM
machine. We have confirmed that our certificate is ok on the problematic
server.
Our configuration is the following. On the Radsec server side:
## Resolver - Using the DNS of the machine ##
<Resolver>
NAPTR-Pattern x-eduroam:(radius)\.(tls)
DirectAddressLookup 0
Debug
</Resolver>
<ServerRADSEC>
Port 2083
BindAddress 193.136.192.43
Secret radsec
Protocol tcp
UseTLS
TLS_CAFile /etc/radiator/cert/cert_2016/cv-radius.fccn.pt-ca.pem
TLS_CertificateFile
/etc/radiator/cert/cert_2016/cv-radius.fccn.pt-crt.pem
TLS_CertificateType PEM
TLS_PrivateKeyFile
/etc/radiator/cert/cert_2016/cv-radius.fccn.pt-key.pem
TLS_PolicyOID 1.3.6.1.4.1.25178.3.1.1
TLS_RequireClientCert
TLS_CRLCheck
TLS_CRLCheckAll
TLS_CRLFile /etc/radiator/cert/CRL/*.r0
Identifier RadSec
AddToRequest eduroam-SP-Country=UNKNOWN
</ServerRADSEC>
On the "client" side on our server:
<Handler Realm=/^(.*\.)*ipb\.pt$/,Client-Identifier=/^(?!IPB$)/>
AuthByPolicy ContinueUntilAccept
<AuthBy DNSROAM>
Port 2083
Protocol radsec
Transport tcp
UseTLS 1
Secret radsec
ReconnectTimeout 1
NoreplyTimeout 5
ConnectOnDemand
TLS_CAFile /etc/radiator/cert/cert_2016/cv-radius.fccn.pt-ca.pem
TLS_CertificateFile
/etc/radiator/cert/cert_2016/cv-radius.fccn.pt-crt.pem
TLS_CertificateType PEM
TLS_PrivateKeyFile
/etc/radiator/cert/cert_2016/cv-radius.fccn.pt-key.pem
TLS_CAPath /etc/radiator/
TLS_PolicyOID .1.3.6.1.4.1.25178.3.1.2
TLS_ExpectedPeerName CN=.*
#<Route>
# Realm ipb.pt, alunos.ipb.pt
# Address 193.136.195.229
# Port 2083
# Transport tcp
# Protocol radsec
#</Route>
#IgnoreAccountingResponse
</AuthBy>
AuthLog TICKS
AuthLog roamingstats
AcctLogFileName %L/Accounting/IPB/%Y-%m-detail
RejectHasReason
</Handler>
Has anyone run into the same problem before? Is this a well known
question?
Best regards,
Pedro Simões
--
_______________________________________________
Pedro Simões - psimoes at fccn.pt
Área de Serviços de Rede | Network Services Area
Eduroam | TCS | AAI
FCT|FCCN
Av. do Brasil, n.º 101
1700-066 Lisboa - Portugal
Telefone|Phone +351 218440100; Fax +351 218472167
www.fccn.pt [1] | www.eduroam.pt [2] || tcs.fccn.pt | rctsaai.fccn.pt
Links:
------
[1] http://www.fccn.pt
[2] http://www.eduroam.pt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20191031/2a06d076/attachment.html>
More information about the radiator
mailing list