<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<p>Dear All,</p>
<p>After an upgrade from a VM to a physical machine, we started having problems with Radsec on Radiator (This is Radiator 4.23).</p>
<p>From what we have managed to find, when we try to start a connection to a remote Radsec radius the first steps occurs, and we receive a reply.</p>
<p>At the second communication, when we tries to send the public part of our certificate an error occurs.</p>
<p>On our Radiator we have the following message, referring a Net::SSLeay error:</p>
<p>Wed Oct 30 03:38:28 2019 698096: ERR: StreamTLS could not create SSL: Net::SSLeay::new failed: 284759: 1 - error:140BA0C3:SSL routines:SSL_new:null ssl ctx<br />,Inappropriate ioctl for device</p>
<p>This comes from the following real authentication example:</p>
<p>Wed Oct 30 03:38:28 2019 672988: DEBUG: Resolver found SRV record for realm alunos.ipb.pt: _radsec._tcp.alunos.ipb.pt. 900 IN SRV 0 0 2083 earth.ipb.pt.<br />Wed Oct 30 03:38:28 2019 673180: DEBUG: Resolver doing A lookup for earth.ipb.pt, Protocol radius Transport tcp UseTLS 1 Order 100 Preference 10 Port 2083 Priority 0 Weight 0 SRVName _radsec._tcp.alunos.ipb.pt<br />Wed Oct 30 03:38:28 2019 673672: DEBUG: Resolver doing AAAA lookup for earth.ipb.pt, Protocol radius Transport tcp UseTLS 1 Order 100 Preference 10 Port 2083 Priority 0 Weight 0 SRVName _radsec._tcp.alunos.ipb<br />.pt<br />Wed Oct 30 03:38:28 2019 681964: DEBUG: Resolver found A record for realm alunos.ipb.pt: earth.ipb.pt. 900 IN A 193.136.195.229<br />Wed Oct 30 03:38:28 2019 683293: DEBUG: Resolver found AAAA record for realm alunos.ipb.pt: earth.ipb.pt. 900 IN AAAA 2001:690:22c0:201::229<br />Wed Oct 30 03:38:28 2019 683544: DEBUG: AuthDNSROAM: Discovered server for alunos.ipb.pt: earth.ipb.pt(193.136.195.229):2083, radius, tcp, 1, _radsec._tcp.alunos.ipb.pt<br />Wed Oct 30 03:38:28 2019 683698: INFO: AuthBy DNSROAM adding new target for alunos.ipb.pt<br />Wed Oct 30 03:38:28 2019 685243: DEBUG: Handling with Radius::AuthRADSEC<br />Wed Oct 30 03:38:28 2019 686333: DEBUG: Stream attempting tcp connection to 193.136.195.229 (193.136.195.229:2083)<br />Wed Oct 30 03:38:28 2019 686551: DEBUG: Stream connection in progress to 193.136.195.229 (193.136.195.229:2083)<br />Wed Oct 30 03:38:28 2019 687210: DEBUG: Packet dump:<br />*** Sending request to RadSec localhost (193.136.195.229:2083) ....<br />Code: Access-Request<br />Identifier: 1<br />Authentic: <197>I<228><161><149>thbV3<134>$<26><148><210>9<br />Attributes:<br />... (hided )<br />Wed Oct 30 03:38:28 2019 697459: DEBUG: Stream connected to localhost (193.136.195.229:2083)<br />Wed Oct 30 03:38:28 2019 697725: DEBUG: StreamTLS sessionInit for localhost<br />Wed Oct 30 03:38:28 2019 698096: ERR: StreamTLS could not create SSL: Net::SSLeay::new failed: 284759: 1 - error:140BA0C3:SSL routines:SSL_new:null ssl ctx<br />,Inappropriate ioctl for device</p>
<p>There is some strange thing that we have found. The connection first is sent to 193.136.195.229 and after that is referred as localhost (localhost (193.136.195.229:2083)).</p>
<p>Our DNS servers resolves everything fine, as the logs shows, and the connection is sent to the correct Radius server (confirmed by us).</p>
<p>On the opposite side, when we receive a connection from a Radsec server everything works fine, without any problem.</p>
<p>Our certificate is working fine on our secondary server, on a VM machine. We have confirmed that our certificate is ok on the problematic server.</p>
<p>Our configuration is the following. On the Radsec server side:</p>
<p>## Resolver - Using the DNS of the machine ##</p>
<p><Resolver><br /> NAPTR-Pattern x-eduroam:(radius)\.(tls)<br /><span> <span> </span></span>DirectAddressLookup 0<br /><span> <span> </span></span>Debug<br /></Resolver></p>
<p><ServerRADSEC><br /><span> <span> </span></span>Port 2083<br /><span> <span> </span></span>BindAddress 193.136.192.43<br /><span> <span> </span></span>Secret radsec<br /><span> <span> </span></span>Protocol tcp<br /><span> <span> </span></span>UseTLS<br /><span> <span> </span></span>TLS_CAFile /etc/radiator/cert/cert_2016/cv-radius.fccn.pt-ca.pem<br /><span> <span> </span></span>TLS_CertificateFile /etc/radiator/cert/cert_2016/cv-radius.fccn.pt-crt.pem<br /><span> <span> </span></span>TLS_CertificateType PEM<br /><span> <span> </span></span>TLS_PrivateKeyFile /etc/radiator/cert/cert_2016/cv-radius.fccn.pt-key.pem<br /><span> <span> </span></span>TLS_PolicyOID 1.3.6.1.4.1.25178.3.1.1<br /><span> <span> </span></span>TLS_RequireClientCert<br /><span> <span> </span></span>TLS_CRLCheck<br /><span> <span> </span></span>TLS_CRLCheckAll<br /><span> <span> </span></span>TLS_CRLFile /etc/radiator/cert/CRL/*.r0<br /><span> <span> </span></span>Identifier RadSec<br /><span> <span> </span></span>AddToRequest eduroam-SP-Country=UNKNOWN<br /></ServerRADSEC></p>
<p>On the "client" side on our server:</p>
<p><Handler Realm=/^(.*\.)*ipb\.pt$/,Client-Identifier=/^(?!IPB$)/><br /><span> <span> </span></span>AuthByPolicy ContinueUntilAccept<br /><span> <span> </span></span><AuthBy DNSROAM><br /><span> <span> </span></span><span> <span> </span></span>Port 2083<br /><span> <span> </span></span><span> <span> </span></span>Protocol radsec<br /><span> <span> </span></span><span> <span> </span></span>Transport tcp<br /><span> <span> </span></span><span> <span> </span></span>UseTLS 1<br /><span> <span> </span></span><span> <span> </span></span>Secret radsec<br /><span> <span> </span></span><span> <span> </span></span>ReconnectTimeout 1<br /><span> <span> </span></span><span> <span> </span></span>NoreplyTimeout 5<br /><span> <span> </span></span><span> <span> </span></span>ConnectOnDemand<br /><span> <span> </span></span><span> <span> </span></span>TLS_CAFile /etc/radiator/cert/cert_2016/cv-radius.fccn.pt-ca.pem<br /><span> <span> </span></span><span> <span> </span></span>TLS_CertificateFile /etc/radiator/cert/cert_2016/cv-radius.fccn.pt-crt.pem<br /><span> <span> </span></span><span> <span> </span></span>TLS_CertificateType PEM<br /><span> <span> <span> <span> </span></span></span></span>TLS_PrivateKeyFile /etc/radiator/cert/cert_2016/cv-radius.fccn.pt-key.pem<br /><span> <span> <span> <span> </span></span></span></span>TLS_CAPath /etc/radiator/<br /><span> <span> </span></span><span> <span> </span></span>TLS_PolicyOID .1.3.6.1.4.1.25178.3.1.2<br /><span> <span> </span></span><span> <span> </span></span>TLS_ExpectedPeerName CN=.*<br /><span> <span> </span></span><span> <span> </span></span>#<Route><br /><span> <span> </span></span><span> <span> </span></span>#<span> <span><span> </span>Realm ipb.pt, alunos.ipb.pt</span></span><br /><span> <span> </span></span><span> <span> </span></span>#<span> <span> </span></span>Address 193.136.195.229<br /><span> <span> </span></span><span> <span> </span></span>#<span> <span> </span></span>Port 2083<br /><span> <span> </span></span><span> <span> </span></span>#<span> <span> </span></span>Transport tcp<br /><span> <span> </span></span><span> <span> </span></span>#<span> <span> </span></span>Protocol radsec<br /><span> <span> </span></span><span> <span> </span></span>#</Route><br /><span> <span> </span></span><span> <span> </span></span>#IgnoreAccountingResponse<br /><span> <span> </span></span></AuthBy><br /><span> <span> </span></span>AuthLog TICKS<br /><span> <span> </span></span>AuthLog roamingstats<br /><span> <span><span> </span>AcctLogFileName %L/Accounting/IPB/%Y-%m-detail</span></span><br /><span> <span> </span></span>RejectHasReason<br /></Handler></p>
<p>Has anyone run into the same problem before? Is this a well known question? </p>
<p>Best regards,</p>
<p>Pedro Simões</p>
<div>-- <br />
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">_______________________________________________<br /> Pedro Simões - <a href="mailto:psimoes@fccn.pt">psimoes@fccn.pt</a><br /> Área de Serviços de Rede | Network Services Area<br /> Eduroam | TCS | AAI<br /> FCT|FCCN<br /> Av. do Brasil, n.º 101<br /> 1700-066 Lisboa - Portugal<br /> Telefone|Phone +351 218440100; Fax +351 218472167<br /> <a href="http://www.fccn.pt" target="_blank" rel="noreferrer">www.fccn.pt</a> | <a href="http://www.eduroam.pt" target="_blank" rel="noreferrer">www.eduroam.pt</a> || tcs.fccn.pt | rctsaai.fccn.pt</div>
</div>
</body></html>