Re: [RADIATOR] SSL Error in PEAP conversation

Johnson, Neil M Mon, 17 Sep 2012 09:01:21 -0700

Attached is an extract from the RADIUS log, where the user failed SSL
authentication...


We are running 4.9 with patches...


-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu






On 9/14/12 3:42 PM, "Heikki Vatiainen" <h...@open.com.au> wrote:

>On 09/14/2012 07:16 PM, Johnson, Neil M wrote:
>
>> I have a wireless user who a few times a day gets asked to re-enter his
>> credentials on his windows 7 system.  After he re-enters his credentials
>> he reconnects fine.  I look in the RADIUS logs and see:
>> 
>> Mon Sep 10 17:06:58 2012 757006: ERR: EAP PEAP TLS Handshake
>> unsuccessful:  4076: 1 - error:14094417:SSL
>> routines:SSL3_READ_BYTES:sslv3 alert illegal parameter
>> 
>> I don't have any more verbose logging at this time (The user is out of
>> the office this week), but I was wondering if anyone else had seen this
>> error message before.
>
>I have seen that just a couple of times but certainly not very often.
>Trace 4 log would be useful to see what happens during the TLS tunnel
>setup.
>
>There's one PEAP related fix in 4.10 patches. What you see may be
>related to PEAP fast reconnect aka session resumption. The patch fixes
>problems with windows clients.
>
>The problem does not cause the error you are seeing so it may be related
>to some other client. However, if you can apply the patch, it might be
>worth trying.
>
>Thanks,
>Heikki
>
>-- 
>Heikki Vatiainen <h...@open.com.au>
>
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>NetWare etc.
>_______________________________________________
>radiator mailing list
>radiator@open.com.au
>http://www.open.com.au/mailman/listinfo/radiator

Mon Sep 17 10:45:48 2012 891575: DEBUG: Packet dump:
*** Received from 128.255.11.10 port 43912 ....
Code:       Access-Request
Identifier: 134
Authentic:  (<127><3>wC<190><253>69<139><177>}$<149><189><229>
Attributes:
        User-Name = "rpru...@uiowa.edu"
        NAS-IP-Address = 128.255.11.10
        NAS-Port = 6192
        Called-Station-Id = "00-90-0B-27-10-59:UI-eduroam"
        Calling-Station-Id = "00-27-10-00-61-E0"
        Framed-MTU = 1250
        NAS-Port-Type = Wireless-IEEE-802-11
        Framed-Compression = None
        Connect-Info = "CONNECT 802.11a"
        Chargeable-User-Identity = ""
        EAP-Message = <2><1><0><22><1>rpru...@uiowa.edu
        Message-Authenticator = 
<154>l%<206><140>Q<191><23><204>U<19><154>5<246><129><222>

Mon Sep 17 10:45:48 2012 892222: DEBUG: Handling request with Handler 
'Client-Identifier=fromUIOWA, Called-Station-Id=/eduroam$/i, 
Realm=/(uiowa\.edu$)/i ', Identifier ''
Mon Sep 17 10:45:48 2012 892567: DEBUG: PreProcessing Hook: called.
Mon Sep 17 10:45:48 2012 892952: DEBUG:  Deleting session for 
rpru...@uiowa.edu, 128.255.11.10, 6192
Mon Sep 17 10:45:48 2012 893281: DEBUG: Handling with Radius::AuthLSA: 
Mon Sep 17 10:45:48 2012 893691: DEBUG: Handling with EAP: code 2, 1, 22, 1
Mon Sep 17 10:45:48 2012 894010: DEBUG: Response type 1
Mon Sep 17 10:45:48 2012 894461: DEBUG: EAP result: 3, EAP PEAP Challenge
Mon Sep 17 10:45:48 2012 894781: DEBUG: AuthBy LSA result: CHALLENGE, EAP PEAP 
Challenge
Mon Sep 17 10:45:48 2012 895216: DEBUG: Access challenged for 
rpru...@uiowa.edu: EAP PEAP Challenge
Mon Sep 17 10:45:48 2012 895578: DEBUG: PostProcessing Hook: called.
Mon Sep 17 10:45:48 2012 896180: DEBUG: Packet dump:
*** Sending to 128.255.11.10 port 43912 ....
Code:       Access-Challenge
Identifier: 134
Authentic:  <6><127>m<205>_<133>R<187>*<135><197><182><244><141>9<184>
Attributes:
        EAP-Message = <1><2><0><6><25> 
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Mon Sep 17 10:45:48 2012 923988: DEBUG: Packet dump:
*** Received from 128.255.11.10 port 43912 ....
Code:       Access-Request
Identifier: 135
Authentic:  d<26><200><209><199><215><0><180><217><238><227>:<242>wq<175>
Attributes:
        User-Name = "rpru...@uiowa.edu"
        NAS-IP-Address = 128.255.11.10
        NAS-Port = 6192
        Called-Station-Id = "00-90-0B-27-10-59:UI-eduroam"
        Calling-Station-Id = "00-27-10-00-61-E0"
        Framed-MTU = 1250
        NAS-Port-Type = Wireless-IEEE-802-11
        Framed-Compression = None
        Connect-Info = "CONNECT 802.11a"
        Chargeable-User-Identity = ""
        EAP-Message = 
<2><2><0><137><25><128><0><0><0><127><22><3><1><0>z<1><0><0>v<3><1>PWE<172><224>s~<223><141><24>N<175>f<134>#<168>@R<173><238><217><17>r<192>:dP<171><20>%ZH
 
<185>]<14>|k<174><202><162><166><147>/<241><178>-<21><219><6>8M<129>"+N<219>Ad\Fn<173><189>a<0><24><0>/<0>5<0><5><0><10><192><19><192><20><192><9><192><10><0>2<0>8<0><19><0><4><1><0><0><21><255><1><0><1><0><0><10><0><6><0><4><0><23><0><24><0><11><0><2><1><0>
        Message-Authenticator = 
<25><150>5<174>(<232><25><195>2<142>^<175><128><223>Y<2>

Mon Sep 17 10:45:48 2012 924648: DEBUG: Handling request with Handler 
'Client-Identifier=fromUIOWA, Called-Station-Id=/eduroam$/i, 
Realm=/(uiowa\.edu$)/i ', Identifier ''
Mon Sep 17 10:45:48 2012 924993: DEBUG: PreProcessing Hook: called.
Mon Sep 17 10:45:48 2012 925378: DEBUG:  Deleting session for 
rpru...@uiowa.edu, 128.255.11.10, 6192
Mon Sep 17 10:45:48 2012 925707: DEBUG: Handling with Radius::AuthLSA: 
Mon Sep 17 10:45:48 2012 926114: DEBUG: Handling with EAP: code 2, 2, 137, 25
Mon Sep 17 10:45:48 2012 926432: DEBUG: Response type 25
Mon Sep 17 10:45:48 2012 927004: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
Mon Sep 17 10:45:48 2012 927450: DEBUG: EAP result: 3, EAP PEAP Challenge
Mon Sep 17 10:45:48 2012 927769: DEBUG: AuthBy LSA result: CHALLENGE, EAP PEAP 
Challenge
Mon Sep 17 10:45:48 2012 928102: DEBUG: Access challenged for 
rpru...@uiowa.edu: EAP PEAP Challenge
Mon Sep 17 10:45:48 2012 928463: DEBUG: PostProcessing Hook: called.
Mon Sep 17 10:45:48 2012 930446: DEBUG: Packet dump:
*** Sending to 128.255.11.10 port 43912 ....
Code:       Access-Challenge
Identifier: 135
Authentic:  +7<243><253>"<241><198><234><1><220>kz<25>X<161><235>
Attributes:
        EAP-Message = 
<1><3><4><236><25><192><0><0><15>!<22><3><1><0>J<2><0><0>F<3><1>PWE<172>`<235>P<240>i<6><226>3<229>cW<160><190><25><235>X<242><235><217>4<153><3>[<236><229><204><146><20>
 
<17><232>K<128>E<196>NB<155><196>u<235>1ky<239><154>M<158><12><193><207><199>t<233><174><<186><8>d<217><251><0>/<0><22><3><1><14><196><11><0><14><192><0><14><189><0><5><179>0<130><5><175>0<130><4><151><160><3><2><1><2><2><17><0><192>1<252><202><166><225>N<140>vY<9>c<243><202>f<195>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0Q1<11>0<9><6><3>U<4><6><19><2>US1<18>0<16><6><3>U<4><10><19><9>Internet21<17>0<15><6><3>U<4><11><19><8>InCommon1<27>0<25><6><3>U<4><3><19><18>InCommon
 Server CA0<30><23><13>110603000000Z<23><13>
        EAP-Message = 
140602235959Z0<130><1><26>1<11>0<9><6><3>U<4><6><19><2>US1<14>0<12><6><3>U<4><17><19><5>522421<11>0<9><6><3>U<4><8><19><2>IA1<18>0<16><6><3>U<4><7><19><9>Iowa
 City1<25>0<23><6><3>U<4><9><19><16>416-3 North 
Hall1<31>0<29><6><3>U<4><9><19><22>The University of 
Iowa1301<6><3>U<4><9><19>*ITS Telecommunication and Network 
Services1<27>0<25><6><3>U<4><10><19><18>University of 
Iowa1<19>0<17><6><3>U<4><11><19><10>ITS-TNS-NS1<20>0<18><6><3>U<4><11><19><11>
        EAP-Message = 
PlatinumSSL1!0<31><6><3>U<4><3><19><24>net-auth-1.its.uiowa.edu0<130><1>"0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><130><1><15><0>0<130><1><10><2><130><1><1><0><157>43z1<181>"<145><197>$<25><25><187>J<11><220><193><164><232>SD;<217><177>p<157>`#<201><223><219><179>6<150><216><26>B<13><217><188>B0<184>.<246><168><2><9><243>[d<138>4<21><155><222><1><235>=<232><138>R&<176><19>}<145><216><156><255>C<20><216>b<154><29>@<224>`<17>2z<220>\<165><168><4<2>$o<232><27><206><235><226>C<213>NmI@Q<138><233><218><22><234><241><23>9IQ<152>gM<132>81i<142><228><220><228><16><246><14>!<200>[q<160><239><130><178><254><8>T<177>tD<25><226>g<26><226>B<16><193><158>^}<217><211>5oA<8>7<132><161><15><153><14><232><28>]<133><179><130>n<194><129><16>
        EAP-Message = 
u<186>-<203><175><187>U?<244>-M<156><229>kK<186><209><197><162><169><247><178><220><31>7<191><162>7<131><142>f<203><161>t<132><203>S<202><176><133><186>m"JV<159>Y{l)<235><178><200><11>w<176><185>k<249>*B<10><239><193><183>|<255><24>'<236><166><151><20><246><191><146><128>~<240><198><252>=<2><3><1><0><1><163><130><1><181>0<130><1><177>0<31><6><3>U<29>#<4><24>0<22><128><20>HOZ<250>/J<154>^<224>P<243>k{U<165><222><245><190>4]0<29><6><3>U<29><14><4><22><4><20>\<16><243><136><230><129>q<30><128><0>*<210>M<211><245><127>=Q<10><222>0<14><6><3>U<29><15><1><1><255><4><4><3><2><5><160>0<12><6><3>U<29><19><1><1><255><4><2>0<0>0<29><6><3>U<29>%<4><22>0<20><6><8>+<6><1><5><5><7><3><1><6><8>+<6><1><5><5><7><3><2>0]<6><3>U<29>
 <4>V0T0R<6><12>+<6><1><4><1><174>#<1><4><3><1><1>0B0@<6><8>
        EAP-Message = 
+<6><1><5><5><7><2><1><22>4https://www.incommon.org/cert/repository/cps_ssl.pdf0=<6><3>U<29><31><4>60402<160>0<160>.<134>,http://crl.incommon.org/InCommonServerCA.crl0o<6><8>+<6><1><5><5><7><1><1><4>c0a09<6><8>+<6><1><5><5><7>0<2><134>-http://cert.incommon.org/InCommonServerCA.crt0$<6><8>+<6><1><5><5><7>0<1><134><24>http://ocsp.incommon.org0#<6><3>U<29><17><4><28>0
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Mon Sep 17 10:45:48 2012 984744: DEBUG: Packet dump:
*** Received from 128.255.11.10 port 43912 ....
Code:       Access-Request
Identifier: 137
Authentic:  W<245>pj<144><131><11><213><214><198><155>_b<255><235><202>
Attributes:
        User-Name = "rpru...@uiowa.edu"
        NAS-IP-Address = 128.255.11.10
        NAS-Port = 6192
        Called-Station-Id = "00-90-0B-27-10-59:UI-eduroam"
        Calling-Station-Id = "00-27-10-00-61-E0"
        Framed-MTU = 1250
        NAS-Port-Type = Wireless-IEEE-802-11
        Framed-Compression = None
        Connect-Info = "CONNECT 802.11a"
        Chargeable-User-Identity = ""
        EAP-Message = <2><3><0><6><25><0>
        Message-Authenticator = 
<228><225><156>U!g<174>1<1>"<10>:<207><196>@<164>

Mon Sep 17 10:45:48 2012 985496: DEBUG: Handling request with Handler 
'Client-Identifier=fromUIOWA, Called-Station-Id=/eduroam$/i, 
Realm=/(uiowa\.edu$)/i ', Identifier ''
Mon Sep 17 10:45:48 2012 985841: DEBUG: PreProcessing Hook: called.
Mon Sep 17 10:45:48 2012 986225: DEBUG:  Deleting session for 
rpru...@uiowa.edu, 128.255.11.10, 6192
Mon Sep 17 10:45:48 2012 986553: DEBUG: Handling with Radius::AuthLSA: 
Mon Sep 17 10:45:48 2012 986960: DEBUG: Handling with EAP: code 2, 3, 6, 25
Mon Sep 17 10:45:48 2012 987276: DEBUG: Response type 25
Mon Sep 17 10:45:48 2012 987730: DEBUG: EAP result: 3, EAP PEAP Challenge
Mon Sep 17 10:45:48 2012 988050: DEBUG: AuthBy LSA result: CHALLENGE, EAP PEAP 
Challenge
Mon Sep 17 10:45:48 2012 988382: DEBUG: Access challenged for 
rpru...@uiowa.edu: EAP PEAP Challenge
Mon Sep 17 10:45:48 2012 988740: DEBUG: PostProcessing Hook: called.
Mon Sep 17 10:45:48 2012 990861: DEBUG: Packet dump:
*** Sending to 128.255.11.10 port 43912 ....
Code:       Access-Challenge
Identifier: 137
Authentic:  <143><144><139><1>u<18><177>IQ<189><138>]<18><214>u<17>
Attributes:
        EAP-Message = 
<1><4><4><232><25>@<26><130><24>net-auth-1.its.uiowa.edu0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><130><1><1><0><149><241>
 
d<246>"<25><130><26>M<0><136><140><3>%<174><163><167>6<207><20><167><13><175><176><226>%(<178><182><140>Xp<173>\J<141><240><162>2i<175><242>8<152><133><139>Oy;<244><225><<145><2><189><255><182><229><215><223>Q<24><18><139>l<225>#<167><162><225><237><177><202>1<166><199>X:,|<184><137>=<236>R<237><195>-L<139><180><200><184>7<139><201>(<149><239><240><195><189><21><181>v<213><207>V<135><197><184>%n<215><177>cR@PXi<180><226>&<5><31><161>[G<191><131>8<167><131>c<191><215><195>=<182>s<139><136>P<21><19><231>z<22>`<255><152>K1<19><25><190>$<139><7>P<168><155><210><189>j+<155><129>j0<225>
 
<25><202><11>"<155><203><225><236><128><141><217><205>;P<135><202><230><8>D<226><9><224><140><186><11><222>
        EAP-Message = 
<151><21>P<182>@<238><28><254>e,<219><195><208><24><239><156>y<232><16><193>P<249>)<154><203><11><139><133><156><190>(<235><172><164><26><240><251><128>2D<221><170><221>|<231><224>Nj<160>^<132>[<189>*5<143><0><4><199>0<130><4><195>0<130><3><171><160><3><2><1><2><2><16><127>q<193><211><162>&<176><210><177><19><243><230><129>gd>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0o1<11>0<9><6><3>U<4><6><19><2>SE1<20>0<18><6><3>U<4><10><19><11>AddTrust
 AB1&0$<6><3>U<4><11><19><29>AddTrust External TTP Network1"0 
<6><3>U<4><3><19><25>AddTrust External CA 
Root0<30><23><13>101207000000Z<23><13>200530104838Z0Q1
        EAP-Message = 
<11>0<9><6><3>U<4><6><19><2>US1<18>0<16><6><3>U<4><10><19><9>Internet21<17>0<15><6><3>U<4><11><19><8>InCommon1<27>0<25><6><3>U<4><3><19><18>InCommon
 Server 
CA0<130><1>"0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><130><1><15><0>0<130><1><10><2><130><1><1><0><151>|<199><200><254><179><233>
 
j<163><164>O<142><142>4V<6><179>zl<170><16><155>Ha+6<144>i<227>4<10>G<167><187>{<222><170>j<251><235><130><149><143><202><29><127><175>u<166><168>L<218>
 
ga<26><13><134><193><202><193><135><175><172>N<228><222>b<27>/<157><177><152><175><198><1><251><23>p<219><172><20>Y<236>o?3<127><166><152><11><228><226>8<175><245><127><133>m<14>t<4><157><246>'<134><199><155><143><231>q*<8><244><3><2>@c$}@W<143>T<224>T~<182><19>Ha<241><222><206><14><189><182><250>M
        EAP-Message = 
<152><178><217><13><141>y<166><224><170><205><12><145><154><165><223><171>s<187><202><20>x\G)<161><202><197><186><159><199><218>`<247><255><231><127><242><217><218><161>-<15>I<22><167><211><0><146><207><138>G<217>M<248><213><149>f<211>t<249><128>c<0>OL<132><22><31><179><245>$<31><161>N<222><232><149><214><178><11><9><139>,k<199>\/<140>c<201><153><203>R<177>b{s<1>b<127>cl<216>h<160><238>j<168><141><31>)<243><208><24><172><173><2><3><1><0><1><163><130><1>w0<130><1>s0<31><6><3>U<29>#<4><24>0<22><128><20><173><189><152>z4<180>&<247><250><196>&T<239><3><189><224>$<203>T<26>0<29><6><3>U<29><14><4><22><4><20>HOZ<250>/J<154>^<224>P<243>k{U<165><222><245><190>4]0<14><6><3>U<29><15><1><1><255><4><4><3><2><1><6>0<18><6><3>U<29><19><1><1><255><4><8>0<6><1><1><255><2><1><0>0<17><6><3>U<29>
 <4><10>0<8>0<6><6><4>U<29> <0>0D<6><3>U
        EAP-Message = 
<29><31><4>=0;09<160>7<160>5<134>3http://crl.usertrust.com/AddTrustExternalCARoot.crl0<129><179><6><8>+<6><1><5><5><7><1><1><4><129><166>0<129><163>0?<6><8>+<6><1><5><5><7>0<2><134>3http://crt.usertrust.com/AddTrustExternalCARoot.p7c09<6><8>+<6><1><5><5><7>0<2><134>-http://crt.usertrust.com/AddTrustUTNSGCCA.crt0%<6><8>+<6><1><5><5><7>0<1><134><25>http://ocsp.usertrust.
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Mon Sep 17 10:45:49 2012 052624: DEBUG: Packet dump:
*** Received from 128.255.11.10 port 43912 ....
Code:       Access-Request
Identifier: 138
Authentic:  H(<128>i<161>I<20><150> ]*<8><30>8<223><242>
Attributes:
        User-Name = "rpru...@uiowa.edu"
        NAS-IP-Address = 128.255.11.10
        NAS-Port = 6192
        Called-Station-Id = "00-90-0B-27-10-59:UI-eduroam"
        Calling-Station-Id = "00-27-10-00-61-E0"
        Framed-MTU = 1250
        NAS-Port-Type = Wireless-IEEE-802-11
        Framed-Compression = None
        Connect-Info = "CONNECT 802.11a"
        Chargeable-User-Identity = ""
        EAP-Message = <2><4><0><17><25><128><0><0><0><7><21><3><1><0><2><2>/
        Message-Authenticator = 
<243>\<23><199><222><159><225>_<210><240><2>n<14>8<144><230>

Mon Sep 17 10:45:49 2012 053371: DEBUG: Handling request with Handler 
'Client-Identifier=fromUIOWA, Called-Station-Id=/eduroam$/i, 
Realm=/(uiowa\.edu$)/i ', Identifier ''
Mon Sep 17 10:45:49 2012 053718: DEBUG: PreProcessing Hook: called.
Mon Sep 17 10:45:49 2012 054101: DEBUG:  Deleting session for 
rpru...@uiowa.edu, 128.255.11.10, 6192
Mon Sep 17 10:45:49 2012 054430: DEBUG: Handling with Radius::AuthLSA: 
Mon Sep 17 10:45:49 2012 054838: DEBUG: Handling with EAP: code 2, 4, 17, 25
Mon Sep 17 10:45:49 2012 055155: DEBUG: Response type 25
Mon Sep 17 10:45:49 2012 055517: DEBUG: EAP TLS SSL_accept result: 0, 1, 8576
Mon Sep 17 10:45:49 2012 055874: ERR: EAP PEAP TLS Handshake unsuccessful:  
2196: 1 - error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal 
parameter

Mon Sep 17 10:45:49 2012 056185: DEBUG: EAP result: 1, EAP PEAP TLS Handshake 
unsuccessful
Mon Sep 17 10:45:49 2012 056502: DEBUG: AuthBy LSA result: REJECT, EAP PEAP TLS 
Handshake unsuccessful
Mon Sep 17 10:45:49 2012 056834: INFO: Access rejected for rpru...@uiowa.edu: 
EAP PEAP TLS Handshake unsuccessful
Mon Sep 17 10:45:49 2012 057595: DEBUG: PostProcessing Hook: called.
Mon Sep 17 10:45:49 2012 058092: DEBUG: Packet dump:
*** Sending to 128.255.11.10 port 43912 ....
Code:       Access-Reject
Identifier: 138
Authentic:  <192>"y<13><1>}<30><211><152>q@F<211>~NQ
Attributes:
        Reply-Message = "Request Denied"

_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] SSL Error in PEAP conversation

Reply via email to