Re: [RADIATOR] SSL Error in PEAP conversation

Johnson, Neil M Mon, 17 Sep 2012 09:13:27 -0700

Here's another trace excerpt... (Attached).


-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu






On 9/17/12 11:01 AM, "Johnson, Neil M" <neil-john...@uiowa.edu> wrote:

>Attached is an extract from the RADIUS log, where the user failed SSL
>authentication...
>
>We are running 4.9 with patches...
>
>
>-- 
>Neil Johnson
>Network Engineer
>The University of Iowa
>Phone: 319 384-0938
>Fax: 319 335-2951
>Mobile: 319 540-2081
>E-Mail: neil-john...@uiowa.edu
>
>
>
>
>
>
>On 9/14/12 3:42 PM, "Heikki Vatiainen" <h...@open.com.au> wrote:
>
>>On 09/14/2012 07:16 PM, Johnson, Neil M wrote:
>>
>>> I have a wireless user who a few times a day gets asked to re-enter his
>>> credentials on his windows 7 system.  After he re-enters his
>>>credentials
>>> he reconnects fine.  I look in the RADIUS logs and see:
>>> 
>>> Mon Sep 10 17:06:58 2012 757006: ERR: EAP PEAP TLS Handshake
>>> unsuccessful:  4076: 1 - error:14094417:SSL
>>> routines:SSL3_READ_BYTES:sslv3 alert illegal parameter
>>> 
>>> I don't have any more verbose logging at this time (The user is out of
>>> the office this week), but I was wondering if anyone else had seen this
>>> error message before.
>>
>>I have seen that just a couple of times but certainly not very often.
>>Trace 4 log would be useful to see what happens during the TLS tunnel
>>setup.
>>
>>There's one PEAP related fix in 4.10 patches. What you see may be
>>related to PEAP fast reconnect aka session resumption. The patch fixes
>>problems with windows clients.
>>
>>The problem does not cause the error you are seeing so it may be related
>>to some other client. However, if you can apply the patch, it might be
>>worth trying.
>>
>>Thanks,
>>Heikki
>>
>>-- 
>>Heikki Vatiainen <h...@open.com.au>
>>
>>Radiator: the most portable, flexible and configurable RADIUS server
>>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>>NetWare etc.
>>_______________________________________________
>>radiator mailing list
>>radiator@open.com.au
>>http://www.open.com.au/mailman/listinfo/radiator
>

Mon Sep 17 10:48:02 2012 361960: DEBUG: Packet dump:
*** Received from 128.255.11.10 port 43912 ....
Code:       Access-Request
Identifier: 75
Authentic:  G<139><130>f<201><138><208><135>b<152><134>P<178><169><222>p
Attributes:
        User-Name = "rpru...@uiowa.edu"
        NAS-IP-Address = 128.255.11.10
        NAS-Port = 6192
        Called-Station-Id = "00-90-0B-27-10-59:UI-eduroam"
        Calling-Station-Id = "00-27-10-00-61-E0"
        Framed-MTU = 1250
        NAS-Port-Type = Wireless-IEEE-802-11
        Framed-Compression = None
        Connect-Info = "CONNECT 802.11a"
        Chargeable-User-Identity = ""
        EAP-Message = <2><1><0><22><1>rpru...@uiowa.edu
        Message-Authenticator = 
<141><205><235><164><160>2,<200><206><172><226>*<169><143>j`

Mon Sep 17 10:48:02 2012 362615: DEBUG: Handling request with Handler 
'Client-Identifier=fromUIOWA, Called-Station-Id=/eduroam$/i, 
Realm=/(uiowa\.edu$)/i ', Identifier ''
Mon Sep 17 10:48:02 2012 362962: DEBUG: PreProcessing Hook: called.
Mon Sep 17 10:48:02 2012 363347: DEBUG:  Deleting session for 
rpru...@uiowa.edu, 128.255.11.10, 6192
Mon Sep 17 10:48:02 2012 363677: DEBUG: Handling with Radius::AuthLSA: 
Mon Sep 17 10:48:02 2012 364088: DEBUG: Handling with EAP: code 2, 1, 22, 1
Mon Sep 17 10:48:02 2012 364408: DEBUG: Response type 1
Mon Sep 17 10:48:02 2012 364833: DEBUG: EAP result: 3, EAP PEAP Challenge
Mon Sep 17 10:48:02 2012 365166: DEBUG: AuthBy LSA result: CHALLENGE, EAP PEAP 
Challenge
Mon Sep 17 10:48:02 2012 365501: DEBUG: Access challenged for 
rpru...@uiowa.edu: EAP PEAP Challenge
Mon Sep 17 10:48:02 2012 365858: DEBUG: PostProcessing Hook: called.
Mon Sep 17 10:48:02 2012 366572: DEBUG: Packet dump:
*** Sending to 128.255.11.10 port 43912 ....
Code:       Access-Challenge
Identifier: 75
Authentic:  >w<241><31>6<135><166><211><237><189><204><241><177>v<230><206>
Attributes:
        EAP-Message = <1><2><0><6><25> 
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Mon Sep 17 10:48:02 2012 415633: DEBUG: Packet dump:
*** Received from 128.255.11.10 port 43912 ....
Code:       Access-Request
Identifier: 79
Authentic:  <15><130><16><29>v<30>K<141><15><168>)|<207><208>XD
Attributes:
        User-Name = "rpru...@uiowa.edu"
        NAS-IP-Address = 128.255.11.10
        NAS-Port = 6192
        Called-Station-Id = "00-90-0B-27-10-59:UI-eduroam"
        Calling-Station-Id = "00-27-10-00-61-E0"
        Framed-MTU = 1250
        NAS-Port-Type = Wireless-IEEE-802-11
        Framed-Compression = None
        Connect-Info = "CONNECT 802.11a"
        Chargeable-User-Identity = ""
        EAP-Message = 
<2><2><0>i<25><128><0><0><0>_<22><3><1><0>Z<1><0><0>V<3><1>PWF26C\<229><29><161>!<213><26>=<239>99<24>M&<244><128><187>Z<143><25><136><193><171><7><131><190><0><0><24><0>/<0>5<0><5><0><10><192><19><192><20><192><9><192><10><0>2<0>8<0><19><0><4><1><0><0><21><255><1><0><1><0><0><10><0><6><0><4><0><23><0><24><0><11><0><2><1><0>
        Message-Authenticator = 
<183>r<187><20><255><182><161><150><245><160><227>8<179><194>L<160>

Mon Sep 17 10:48:02 2012 416306: DEBUG: Handling request with Handler 
'Client-Identifier=fromUIOWA, Called-Station-Id=/eduroam$/i, 
Realm=/(uiowa\.edu$)/i ', Identifier ''
Mon Sep 17 10:48:02 2012 416663: DEBUG: PreProcessing Hook: called.
Mon Sep 17 10:48:02 2012 417062: DEBUG:  Deleting session for 
rpru...@uiowa.edu, 128.255.11.10, 6192
Mon Sep 17 10:48:02 2012 417401: DEBUG: Handling with Radius::AuthLSA: 
Mon Sep 17 10:48:02 2012 417818: DEBUG: Handling with EAP: code 2, 2, 105, 25
Mon Sep 17 10:48:02 2012 418153: DEBUG: Response type 25
Mon Sep 17 10:48:02 2012 418740: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
Mon Sep 17 10:48:02 2012 419189: DEBUG: EAP result: 3, EAP PEAP Challenge
Mon Sep 17 10:48:02 2012 419509: DEBUG: AuthBy LSA result: CHALLENGE, EAP PEAP 
Challenge
Mon Sep 17 10:48:02 2012 419844: DEBUG: Access challenged for 
rpru...@uiowa.edu: EAP PEAP Challenge
Mon Sep 17 10:48:02 2012 420205: DEBUG: PostProcessing Hook: called.
Mon Sep 17 10:48:02 2012 422210: DEBUG: Packet dump:
*** Sending to 128.255.11.10 port 43912 ....
Code:       Access-Challenge
Identifier: 79
Authentic:  <221><146><208><144><172>H<244>pi<206>c<198>"uO<252>
Attributes:
        EAP-Message = 
<1><3><4><236><25><192><0><0><15>!<22><3><1><0>J<2><0><0>F<3><1>PWF2(<223><194><235><244><190><31>%<250><229><156>^<21><212>T|<190><235>>H<137><235><151><221>%<191><192>k
 
$k<171><138><247><243>;<9>04<228><205><216><183><207>r-<147>]<231>'<30><173><148><22><211><141><185><0><180>?F<0>/<0><22><3><1><14><196><11><0><14><192><0><14><189><0><5><179>0<130><5><175>0<130><4><151><160><3><2><1><2><2><17><0><192>1<252><202><166><225>N<140>vY<9>c<243><202>f<195>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0Q1<11>0<9><6><3>U<4><6><19><2>US1<18>0<16><6><3>U<4><10><19><9>Internet21<17>0<15><6><3>U<4><11><19><8>InCommon1<27>0<25><6><3>U<4><3><19><18>InCommon
 Server CA0<30><23><13>110603000000Z<23><13>
        EAP-Message = 
140602235959Z0<130><1><26>1<11>0<9><6><3>U<4><6><19><2>US1<14>0<12><6><3>U<4><17><19><5>522421<11>0<9><6><3>U<4><8><19><2>IA1<18>0<16><6><3>U<4><7><19><9>Iowa
 City1<25>0<23><6><3>U<4><9><19><16>416-3 North 
Hall1<31>0<29><6><3>U<4><9><19><22>The University of 
Iowa1301<6><3>U<4><9><19>*ITS Telecommunication and Network 
Services1<27>0<25><6><3>U<4><10><19><18>University of 
Iowa1<19>0<17><6><3>U<4><11><19><10>ITS-TNS-NS1<20>0<18><6><3>U<4><11><19><11>
        EAP-Message = 
PlatinumSSL1!0<31><6><3>U<4><3><19><24>net-auth-1.its.uiowa.edu0<130><1>"0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><130><1><15><0>0<130><1><10><2><130><1><1><0><157>43z1<181>"<145><197>$<25><25><187>J<11><220><193><164><232>SD;<217><177>p<157>`#<201><223><219><179>6<150><216><26>B<13><217><188>B0<184>.<246><168><2><9><243>[d<138>4<21><155><222><1><235>=<232><138>R&<176><19>}<145><216><156><255>C<20><216>b<154><29>@<224>`<17>2z<220>\<165><168><4<2>$o<232><27><206><235><226>C<213>NmI@Q<138><233><218><22><234><241><23>9IQ<152>gM<132>81i<142><228><220><228><16><246><14>!<200>[q<160><239><130><178><254><8>T<177>tD<25><226>g<26><226>B<16><193><158>^}<217><211>5oA<8>7<132><161><15><153><14><232><28>]<133><179><130>n<194><129><16>
        EAP-Message = 
u<186>-<203><175><187>U?<244>-M<156><229>kK<186><209><197><162><169><247><178><220><31>7<191><162>7<131><142>f<203><161>t<132><203>S<202><176><133><186>m"JV<159>Y{l)<235><178><200><11>w<176><185>k<249>*B<10><239><193><183>|<255><24>'<236><166><151><20><246><191><146><128>~<240><198><252>=<2><3><1><0><1><163><130><1><181>0<130><1><177>0<31><6><3>U<29>#<4><24>0<22><128><20>HOZ<250>/J<154>^<224>P<243>k{U<165><222><245><190>4]0<29><6><3>U<29><14><4><22><4><20>\<16><243><136><230><129>q<30><128><0>*<210>M<211><245><127>=Q<10><222>0<14><6><3>U<29><15><1><1><255><4><4><3><2><5><160>0<12><6><3>U<29><19><1><1><255><4><2>0<0>0<29><6><3>U<29>%<4><22>0<20><6><8>+<6><1><5><5><7><3><1><6><8>+<6><1><5><5><7><3><2>0]<6><3>U<29>
 <4>V0T0R<6><12>+<6><1><4><1><174>#<1><4><3><1><1>0B0@<6><8>
        EAP-Message = 
+<6><1><5><5><7><2><1><22>4https://www.incommon.org/cert/repository/cps_ssl.pdf0=<6><3>U<29><31><4>60402<160>0<160>.<134>,http://crl.incommon.org/InCommonServerCA.crl0o<6><8>+<6><1><5><5><7><1><1><4>c0a09<6><8>+<6><1><5><5><7>0<2><134>-http://cert.incommon.org/InCommonServerCA.crt0$<6><8>+<6><1><5><5><7>0<1><134><24>http://ocsp.incommon.org0#<6><3>U<29><17><4><28>0
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Mon Sep 17 10:48:02 2012 457461: DEBUG: Packet dump:
*** Received from 128.255.11.10 port 43912 ....
Code:       Access-Request
Identifier: 82
Authentic:  /<29>gM=<167>l<7>:3<141>6<237><173>z,
Attributes:
        User-Name = "rpru...@uiowa.edu"
        NAS-IP-Address = 128.255.11.10
        NAS-Port = 6192
        Called-Station-Id = "00-90-0B-27-10-59:UI-eduroam"
        Calling-Station-Id = "00-27-10-00-61-E0"
        Framed-MTU = 1250
        NAS-Port-Type = Wireless-IEEE-802-11
        Framed-Compression = None
        Connect-Info = "CONNECT 802.11a"
        Chargeable-User-Identity = ""
        EAP-Message = <2><3><0><6><25><0>
        Message-Authenticator = 
<4><1><137><231>*(<154><237>Q~<225><193><156><144><160><28>

Mon Sep 17 10:48:02 2012 458114: DEBUG: Handling request with Handler 
'Client-Identifier=fromUIOWA, Called-Station-Id=/eduroam$/i, 
Realm=/(uiowa\.edu$)/i ', Identifier ''
Mon Sep 17 10:48:02 2012 458460: DEBUG: PreProcessing Hook: called.
Mon Sep 17 10:48:02 2012 458899: DEBUG:  Deleting session for 
rpru...@uiowa.edu, 128.255.11.10, 6192
Mon Sep 17 10:48:02 2012 459229: DEBUG: Handling with Radius::AuthLSA: 
Mon Sep 17 10:48:02 2012 459637: DEBUG: Handling with EAP: code 2, 3, 6, 25
Mon Sep 17 10:48:02 2012 459956: DEBUG: Response type 25
Mon Sep 17 10:48:02 2012 460416: DEBUG: EAP result: 3, EAP PEAP Challenge
Mon Sep 17 10:48:02 2012 460737: DEBUG: AuthBy LSA result: CHALLENGE, EAP PEAP 
Challenge
Mon Sep 17 10:48:02 2012 461070: DEBUG: Access challenged for 
rpru...@uiowa.edu: EAP PEAP Challenge
Mon Sep 17 10:48:02 2012 461431: DEBUG: PostProcessing Hook: called.
Mon Sep 17 10:48:02 2012 463535: DEBUG: Packet dump:
*** Sending to 128.255.11.10 port 43912 ....
Code:       Access-Challenge
Identifier: 82
Authentic:  <253>j<154><169>[<150><254><196><240><246><160>e<152><184>K<219>
Attributes:
        EAP-Message = 
<1><4><4><232><25>@<26><130><24>net-auth-1.its.uiowa.edu0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><130><1><1><0><149><241>
 
d<246>"<25><130><26>M<0><136><140><3>%<174><163><167>6<207><20><167><13><175><176><226>%(<178><182><140>Xp<173>\J<141><240><162>2i<175><242>8<152><133><139>Oy;<244><225><<145><2><189><255><182><229><215><223>Q<24><18><139>l<225>#<167><162><225><237><177><202>1<166><199>X:,|<184><137>=<236>R<237><195>-L<139><180><200><184>7<139><201>(<149><239><240><195><189><21><181>v<213><207>V<135><197><184>%n<215><177>cR@PXi<180><226>&<5><31><161>[G<191><131>8<167><131>c<191><215><195>=<182>s<139><136>P<21><19><231>z<22>`<255><152>K1<19><25><190>$<139><7>P<168><155><210><189>j+<155><129>j0<225>
 
<25><202><11>"<155><203><225><236><128><141><217><205>;P<135><202><230><8>D<226><9><224><140><186><11><222>
        EAP-Message = 
<151><21>P<182>@<238><28><254>e,<219><195><208><24><239><156>y<232><16><193>P<249>)<154><203><11><139><133><156><190>(<235><172><164><26><240><251><128>2D<221><170><221>|<231><224>Nj<160>^<132>[<189>*5<143><0><4><199>0<130><4><195>0<130><3><171><160><3><2><1><2><2><16><127>q<193><211><162>&<176><210><177><19><243><230><129>gd>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0o1<11>0<9><6><3>U<4><6><19><2>SE1<20>0<18><6><3>U<4><10><19><11>AddTrust
 AB1&0$<6><3>U<4><11><19><29>AddTrust External TTP Network1"0 
<6><3>U<4><3><19><25>AddTrust External CA 
Root0<30><23><13>101207000000Z<23><13>200530104838Z0Q1
        EAP-Message = 
<11>0<9><6><3>U<4><6><19><2>US1<18>0<16><6><3>U<4><10><19><9>Internet21<17>0<15><6><3>U<4><11><19><8>InCommon1<27>0<25><6><3>U<4><3><19><18>InCommon
 Server 
CA0<130><1>"0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><130><1><15><0>0<130><1><10><2><130><1><1><0><151>|<199><200><254><179><233>
 
j<163><164>O<142><142>4V<6><179>zl<170><16><155>Ha+6<144>i<227>4<10>G<167><187>{<222><170>j<251><235><130><149><143><202><29><127><175>u<166><168>L<218>
 
ga<26><13><134><193><202><193><135><175><172>N<228><222>b<27>/<157><177><152><175><198><1><251><23>p<219><172><20>Y<236>o?3<127><166><152><11><228><226>8<175><245><127><133>m<14>t<4><157><246>'<134><199><155><143><231>q*<8><244><3><2>@c$}@W<143>T<224>T~<182><19>Ha<241><222><206><14><189><182><250>M
        EAP-Message = 
<152><178><217><13><141>y<166><224><170><205><12><145><154><165><223><171>s<187><202><20>x\G)<161><202><197><186><159><199><218>`<247><255><231><127><242><217><218><161>-<15>I<22><167><211><0><146><207><138>G<217>M<248><213><149>f<211>t<249><128>c<0>OL<132><22><31><179><245>$<31><161>N<222><232><149><214><178><11><9><139>,k<199>\/<140>c<201><153><203>R<177>b{s<1>b<127>cl<216>h<160><238>j<168><141><31>)<243><208><24><172><173><2><3><1><0><1><163><130><1>w0<130><1>s0<31><6><3>U<29>#<4><24>0<22><128><20><173><189><152>z4<180>&<247><250><196>&T<239><3><189><224>$<203>T<26>0<29><6><3>U<29><14><4><22><4><20>HOZ<250>/J<154>^<224>P<243>k{U<165><222><245><190>4]0<14><6><3>U<29><15><1><1><255><4><4><3><2><1><6>0<18><6><3>U<29><19><1><1><255><4><8>0<6><1><1><255><2><1><0>0<17><6><3>U<29>
 <4><10>0<8>0<6><6><4>U<29> <0>0D<6><3>U
        EAP-Message = 
<29><31><4>=0;09<160>7<160>5<134>3http://crl.usertrust.com/AddTrustExternalCARoot.crl0<129><179><6><8>+<6><1><5><5><7><1><1><4><129><166>0<129><163>0?<6><8>+<6><1><5><5><7>0<2><134>3http://crt.usertrust.com/AddTrustExternalCARoot.p7c09<6><8>+<6><1><5><5><7>0<2><134>-http://crt.usertrust.com/AddTrustUTNSGCCA.crt0%<6><8>+<6><1><5><5><7>0<1><134><25>http://ocsp.usertrust.
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Mon Sep 17 10:48:02 2012 523334: DEBUG: Packet dump:
*** Received from 128.255.11.10 port 43912 ....
Code:       Access-Request
Identifier: 86
Authentic:  <164><251>%<152>v<2><25><149><228><173><243><175><8><8><223><254>
Attributes:
        User-Name = "rpru...@uiowa.edu"
        NAS-IP-Address = 128.255.11.10
        NAS-Port = 6192
        Called-Station-Id = "00-90-0B-27-10-59:UI-eduroam"
        Calling-Station-Id = "00-27-10-00-61-E0"
        Framed-MTU = 1250
        NAS-Port-Type = Wireless-IEEE-802-11
        Framed-Compression = None
        Connect-Info = "CONNECT 802.11a"
        Chargeable-User-Identity = ""
        EAP-Message = <2><4><0><17><25><128><0><0><0><7><21><3><1><0><2><2>/
        Message-Authenticator = 
<220><17><223><29>M<208>N<167><237><142><186>h^<133>pA

Mon Sep 17 10:48:02 2012 523992: DEBUG: Handling request with Handler 
'Client-Identifier=fromUIOWA, Called-Station-Id=/eduroam$/i, 
Realm=/(uiowa\.edu$)/i ', Identifier ''
Mon Sep 17 10:48:02 2012 524338: DEBUG: PreProcessing Hook: called.
Mon Sep 17 10:48:02 2012 524724: DEBUG:  Deleting session for 
rpru...@uiowa.edu, 128.255.11.10, 6192
Mon Sep 17 10:48:02 2012 525053: DEBUG: Handling with Radius::AuthLSA: 
Mon Sep 17 10:48:02 2012 525461: DEBUG: Handling with EAP: code 2, 4, 17, 25
Mon Sep 17 10:48:02 2012 525781: DEBUG: Response type 25
Mon Sep 17 10:48:02 2012 526144: DEBUG: EAP TLS SSL_accept result: 0, 1, 8576
Mon Sep 17 10:48:02 2012 526508: ERR: EAP PEAP TLS Handshake unsuccessful:  
2196: 1 - error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal 
parameter

Mon Sep 17 10:48:02 2012 526821: DEBUG: EAP result: 1, EAP PEAP TLS Handshake 
unsuccessful
Mon Sep 17 10:48:02 2012 527138: DEBUG: AuthBy LSA result: REJECT, EAP PEAP TLS 
Handshake unsuccessful
Mon Sep 17 10:48:02 2012 527471: INFO: Access rejected for rpru...@uiowa.edu: 
EAP PEAP TLS Handshake unsuccessful
Mon Sep 17 10:48:02 2012 528242: DEBUG: PostProcessing Hook: called.
Mon Sep 17 10:48:02 2012 528743: DEBUG: Packet dump:
*** Sending to 128.255.11.10 port 43912 ....
Code:       Access-Reject
Identifier: 86
Authentic:  \<187> <7>6[(m<13><21><19><208>O<20>&<190>
Attributes:
        Reply-Message = "Request Denied"

_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] SSL Error in PEAP conversation

Reply via email to