[RADIATOR] AuthBy DUO issue

Alexander.Hartmaier at t-systems.com Alexander.Hartmaier at t-systems.com
Fri May 28 07:25:31 UTC 2021


Good morning Heikki,
awesome support from you as always, thank you!!!

I saw that the connection to Duo is TLS 1.3 in the packet captures I've taken.
Will try your suggestion and report back.

Best regards, Alex

T-SYSTEMS AUSTRIA GESMBH
PU Cyber Security
Network Architecture
Operation Manager Authentication
Rennweg 97-99, A-1030 Vienna
+43 57057 4320 (phone)
+43 676 8642 4320 (mobile)
E-mail: alexander.hartmaier at t-systems.com
Internet: www.t-systems.at
Blog: blog.t-systems.at
Social Media: Facebook, Linkedin, Twitter

BIG CHANGES START SMALL – CONSERVE RESOURCES BY NOT PRINTING EVERY E-MAIL.

****************************************************************************************************************
T-Systems Austria GesmbH, Rennweg 97-99, A-1030 Vienna
Commercial Court Vienna, FN 79340b
****************************************************************************************************************
Notice: This transmittal and/or attachments may be privileged or confidential. It is
intended solely for the addressee named above. If you received this transmittal in error,
please notify us immediately by reply and delete this message and all its attachments.
Thank you.
****************************************************************************************************************
________________________________
Von: radiator <radiator-bounces at lists.open.com.au> im Auftrag von Heikki Vatiainen <hvn at open.com.au>
Gesendet: Donnerstag, 27. Mai 2021 18:57
An: radiator at lists.open.com.au <radiator at lists.open.com.au>
Betreff: Re: [RADIATOR] AuthBy DUO issue

On 27.5.2021 19.36, Heikki Vatiainen wrote:
> On 27.5.2021 14.58, Alexander.Hartmaier at t-systems.com wrote:

>> Is this a known issue?

> As mentioned above, it's not. From what I know it's been used
> successfully on RHEL/CentOS systems and it works for me on Mac.

The problem might be TLS version related. The above don't do TLSv1.3.

> I'd say this is something specific for Debian 10 because the problem is
> not that hard to reproduce. This needs further investigation.

If possible, can you update AuthDUO.pm sub get_ssl_opts() with the
following:

   $ssl_opts{SSL_version} = 'TLSv1_2';

This kind of behaviour where TLS socket indicates read but there's no
user data available reminded me about TLS 1.3 and how it can send keys
for session resumption after TLS handshake has been done.

A look at HTTPS traffic shows that there's both TLS 1.2 and 1.3 by
default. Restricting TLS to 1.2 seems to make the problem go away.

If you could also check this, please let me know if it changes anything.

Thanks,
Heikki


--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
radiator at lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20210528/a2199742/attachment-0001.html>


More information about the radiator mailing list