TLS Alert write:fatal:bad record mac
Hi, All authentication was stopped at 18:59:36 2011 : Error: TLS Alert write:fatal:bad record mac Tue Jun 7 18:59:34 2011 : Auth: Login OK: [s9540746] (from client localhost port 0) Tue Jun 7 18:59:35 2011 : Auth: Login OK: [s0182695] (from client localhost port 0) Tue Jun 7 18:59:35 2011 : Auth: Login OK: [s9540746] (from client AP1840-7 port 0 cli 8C-7B-9D-AC-DE-88) Tue Jun 7 18:59:35 2011 : Auth: Login OK: [s0182695] (from client wlan2_phy port 0 cli 8C-7B-9D-C5-1D-A5) Tue Jun 7 18:59:36 2011 : Error: TLS Alert write:fatal:bad record mac Tue Jun 7 18:59:36 2011 : Error: rlm_eap: SSL error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Tue Jun 7 18:59:36 2011 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Tue Jun 7 18:59:36 2011 : Auth: Login incorrect: [s1017761/] (from client wlan2_phy port 0 cli 8C-7B-9D-9C-29-21) Tue Jun 7 18:59:36 2011 : Error: TLS Alert write:fatal:bad record mac Tue Jun 7 18:59:36 2011 : Error: rlm_eap: SSL error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Tue Jun 7 18:59:36 2011 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Tue Jun 7 18:59:36 2011 : Auth: Login incorrect: [s1001903/] (from client AP1840-6 port 0 cli 8C-7B-9D-A4-95-AE) Tue Jun 7 18:59:36 2011 : Info: rlm_eap_mschapv2: Issuing Challenge Tue Jun 7 18:59:36 2011 : Info: rlm_eap_mschapv2: Issuing Challenge Tue Jun 7 18:59:36 2011 : Error: TLS Alert write:fatal:bad record mac Tue Jun 7 18:59:36 2011 : Error: rlm_eap: SSL error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Tue Jun 7 18:59:36 2011 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Regards Angus ITU Systems Ext: 6551 <> This e-mail and its attachments, if any, are confidential and contain information for an intended recipient. The Open University of Hong Kong (OUHK) disclaims any liability for any loss or damage if this e-mail is received by any person who is not the intended recipient. E-mail transmissions cannot be guaranteed to be completely secure, error or virus free. No responsibility is accepted by the OUHK for any loss or damage arising in any way from receipt or use thereof. Arrangements or statements appearing to bind OUHK are not binding upon OUHK unless made in accordance with OUHK's constitution and duly authorised. OUHK staff are expressly prohibited from breaching applicable law, infringing third party rights, making defamatory statements and committing tortious acts by e-mail communications. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: "Error: rlm_ldap: All ldap connections are in use"
Hi Phil, All authentication was stopped at 18:59:36 2011 : Error: TLS Alert write:fatal:bad record mac Tue Jun 7 18:59:34 2011 : Auth: Login OK: [s9540746] (from client localhost port 0) Tue Jun 7 18:59:35 2011 : Auth: Login OK: [s0182695] (from client localhost port 0) Tue Jun 7 18:59:35 2011 : Auth: Login OK: [s9540746] (from client AP1840-7 port 0 cli 8C-7B-9D-AC-DE-88) Tue Jun 7 18:59:35 2011 : Auth: Login OK: [s0182695] (from client wlan2_phy port 0 cli 8C-7B-9D-C5-1D-A5) Tue Jun 7 18:59:36 2011 : Error: TLS Alert write:fatal:bad record mac Tue Jun 7 18:59:36 2011 : Error: rlm_eap: SSL error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Tue Jun 7 18:59:36 2011 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Tue Jun 7 18:59:36 2011 : Auth: Login incorrect: [s1017761/] (from client wlan2_phy port 0 cli 8C-7B-9D-9C-29-21) Tue Jun 7 18:59:36 2011 : Error: TLS Alert write:fatal:bad record mac Tue Jun 7 18:59:36 2011 : Error: rlm_eap: SSL error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Tue Jun 7 18:59:36 2011 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Tue Jun 7 18:59:36 2011 : Auth: Login incorrect: [s1001903/] (from client AP1840-6 port 0 cli 8C-7B-9D-A4-95-AE) Tue Jun 7 18:59:36 2011 : Info: rlm_eap_mschapv2: Issuing Challenge Tue Jun 7 18:59:36 2011 : Info: rlm_eap_mschapv2: Issuing Challenge Tue Jun 7 18:59:36 2011 : Error: TLS Alert write:fatal:bad record mac Tue Jun 7 18:59:36 2011 : Error: rlm_eap: SSL error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Tue Jun 7 18:59:36 2011 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Regards Angus ITU Systems Ext: 6551 -Original Message- From: freeradius-users-bounces+ajiang=ouhk.edu...@lists.freeradius.org [mailto:freeradius-users-bounces+ajiang=ouhk.edu...@lists.freeradius.org] On Behalf Of Angus JIANG Jian Sent: Monday, June 13, 2011 10:53 PM To: FreeRadius users mailing list Subject: RE: "Error: rlm_ldap: All ldap connections are in use" Hi, Our ldap server is Novell edirectory 8.6 , the radius is taking with edirectory8.6. Regards Angus ITU Systems Ext: 6551 -Original Message- From: freeradius-users-bounces+ajiang=ouhk.edu...@lists.freeradius.org [mailto:freeradius-users-bounces+ajiang=ouhk.edu...@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Monday, June 13, 2011 10:12 PM To: freeradius-users@lists.freeradius.org Subject: Re: "Error: rlm_ldap: All ldap connections are in use" On 13/06/11 14:44, Angus JIANG Jian wrote: > we found the following error messages in the RADIUS log "Error: > rlm_ldap: All ldap connections are in use" on redhat workstation 5 OS. > > "Error: Discarding duplicate request from client AP1840-4:1031 - ID: > 72 due to unfinished request 1017" 7:05pm - Tried to restarted the > RADIUS daemon but the problem still exist 7:08pm - Tried to increase > the ldap_connection limit from 15 to 50 but got other error message > "Info: The maximum number of threads (32) are active, cannot spawn > new thread to handle request" - Resume the ldap_connection > limit, the problem still exist Your LDAP server is taking too long. It's too slow. Ensure your LDAP database is indexed correctly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <> This e-mail and its attachments, if any, are confidential and contain information for an intended recipient. The Open University of Hong Kong (OUHK) disclaims any liability for any loss or damage if this e-mail is received by any person who is not the intended recipient. E-mail transmissions cannot be guaranteed to be completely secure, error or virus free. No responsibility is accepted by the OUHK for any loss or damage arising in any way from receipt or use thereof. Arrangements or statements appearing to bind OUHK are not binding upon OUHK unless made in accordance with OUHK's constitution and duly authorised. OUHK staff are expressly prohibited from breaching applicable law, infringing third party rights, making defamatory statements and committing tortious acts by e-mail communications. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <> This e-mail and its attachments, if any, are confidential and contain information for an intended recipient. The Open University of Hong Kong (OUHK) disclaims any liability for any loss or damage if this e-mail is received by any person who is not the intended recipient. E-mail transmissions cannot be guaranteed to be completely secure, error or virus free. No responsibility is accepted by the OUHK for any loss or damage arising in any way from receipt or use thereof. Arrangements or statements appearing to bind OUHK are not binding upon OUHK unless made in accordance with OUHK's constitutio
RE: "Error: rlm_ldap: All ldap connections are in use"
Hi, Our ldap server is Novell edirectory 8.6 , the radius is taking with edirectory8.6. Regards Angus ITU Systems Ext: 6551 -Original Message- From: freeradius-users-bounces+ajiang=ouhk.edu...@lists.freeradius.org [mailto:freeradius-users-bounces+ajiang=ouhk.edu...@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Monday, June 13, 2011 10:12 PM To: freeradius-users@lists.freeradius.org Subject: Re: "Error: rlm_ldap: All ldap connections are in use" On 13/06/11 14:44, Angus JIANG Jian wrote: > we found the following error messages in the RADIUS log "Error: > rlm_ldap: All ldap connections are in use" on redhat workstation 5 > OS. > > "Error: Discarding duplicate request from client AP1840-4:1031 - ID: > 72 due to unfinished request 1017" 7:05pm - Tried to restarted the > RADIUS daemon but the problem still exist 7:08pm - Tried to increase > the ldap_connection limit from 15 to 50 but got other error message > "Info: The maximum number of threads (32) are active, cannot spawn > new thread to handle request" - Resume the ldap_connection > limit, the problem still exist Your LDAP server is taking too long. It's too slow. Ensure your LDAP database is indexed correctly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <> This e-mail and its attachments, if any, are confidential and contain information for an intended recipient. The Open University of Hong Kong (OUHK) disclaims any liability for any loss or damage if this e-mail is received by any person who is not the intended recipient. E-mail transmissions cannot be guaranteed to be completely secure, error or virus free. No responsibility is accepted by the OUHK for any loss or damage arising in any way from receipt or use thereof. Arrangements or statements appearing to bind OUHK are not binding upon OUHK unless made in accordance with OUHK's constitution and duly authorised. OUHK staff are expressly prohibited from breaching applicable law, infringing third party rights, making defamatory statements and committing tortious acts by e-mail communications. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Accounting copies
Shreya Shah wrote: > Thanks Alan but we are using 2.1.10. I do not see a rlm_replicate in > this version. Is there a work around to get this working on 2.1.10 ? No. See http://git.freeradius.org/ for instructions on getting v2.1.x. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Accounting copies
Thanks Alan but we are using 2.1.10. I do not see a rlm_replicate in this version. Is there a work around to get this working on 2.1.10 ? Thanks, Shreya. On Sun, Jun 12, 2011 at 2:14 AM, Alan DeKok wrote: > Shreya Shah wrote: > > I need to send copies of accounting packets going to multiple servers. > > I do not want to set this up as failover or load balancing. > > > > I was able to setup one home server in proxy.conf for accounting and > > that is working fine but I'm unable to send this to multiple servers.Do > > I need to have multiple copies of copy-acct-to-home-server in > > sites-available ? > > No. In 2.1.11, see rlm_replicate. > > > Also do I need to send accounting packets on different > > port for every server ? > > No. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "Error: rlm_ldap: All ldap connections are in use"
On 13/06/11 14:44, Angus JIANG Jian wrote: we found the following error messages in the RADIUS log "Error: rlm_ldap: All ldap connections are in use" on redhat workstation 5 OS. "Error: Discarding duplicate request from client AP1840-4:1031 - ID: 72 due to unfinished request 1017" 7:05pm - Tried to restarted the RADIUS daemon but the problem still exist 7:08pm - Tried to increase the ldap_connection limit from 15 to 50 but got other error message "Info: The maximum number of threads (32) are active, cannot spawn new thread to handle request" - Resume the ldap_connection limit, the problem still exist Your LDAP server is taking too long. It's too slow. Ensure your LDAP database is indexed correctly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Error: rlm_ldap: All ldap connections are in use"
we found the following error messages in the RADIUS log "Error: rlm_ldap: All ldap connections are in use" on redhat workstation 5 OS. "Error: Discarding duplicate request from client AP1840-4:1031 - ID: 72 due to unfinished request 1017" 7:05pm - Tried to restarted the RADIUS daemon but the problem still exist 7:08pm - Tried to increase the ldap_connection limit from 15 to 50 but got other error message "Info: The maximum number of threads (32) are active, cannot spawn new thread to handle request" - Resume the ldap_connection limit, the problem still exist 7:15pm - Restarted the Linux VM but the problem still exisit..."All ldap connection are in use" ~7:25pm - Tried the bypass the authentication 7:27pm - 7:39pm - ALL AP were rebooted automatically 7:41pm - Resume the authentication bypass and restarted the RADIUS. Most users can login successfully. - Many users don't know how to register their account in APPS Store and could not download APPS - Around four APs were reached to the max 45 users. <> This e-mail and its attachments, if any, are confidential and contain information for an intended recipient. The Open University of Hong Kong (OUHK) disclaims any liability for any loss or damage if this e-mail is received by any person who is not the intended recipient. E-mail transmissions cannot be guaranteed to be completely secure, error or virus free. No responsibility is accepted by the OUHK for any loss or damage arising in any way from receipt or use thereof. Arrangements or statements appearing to bind OUHK are not binding upon OUHK unless made in accordance with OUHK's constitution and duly authorised. OUHK staff are expressly prohibited from breaching applicable law, infringing third party rights, making defamatory statements and committing tortious acts by e-mail communications. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange problem using hints to administer privileges
radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: Opening IP addresses and Ports listen { type = "auth" ipaddr = 10.10.8.70 port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address 10.10.8.70 port 1812 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Ready to process requests. NOW I REQUEST maxA HAVING ACCESS TO A MACHIN OF CUSTOMER A (ALLOWED) rad_recv: Access-Request packet from host 10.10.10.232 port 51990, id=183, length=62 User-Name = "maxA" User-Password = "pippo" NAS-IP-Address = 10.10.8.2 NAS-Port = 1 Framed-Protocol = PPP # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 56 [preprocess] expand: %{NAS-IP-Address} -> 10.10.8.2 [preprocess] hints: Matched DEFAULT at 62 [preprocess] expand: %{NAS-IP-Address} -> 10.10.8.2 [preprocess] expand: %{NAS-IP-Address} -> 10.10.8.2 [preprocess] hints: Matched DEFAULT at 86 [preprocess] expand: %{itfclient} -> clienteA [preprocess] hints: Matched DEFAULT at 128 ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.10.10.232/auth-detail-20110613 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.10.10.232/auth-detail-20110613 [auth_log] expand: %t -> Mon Jun 13 15:12:08 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [files] users: Matched entry maxA at line 70 [files] users: Matched entry DEFAULT at line 73 ++[files] returns ok rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. Login OK: [maxA/pippo] (from client itf_test port 1) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 183 to 10.10.10.232 port 51990 Finished request 0. Going to the next request Cleaning up request 0 ID 183 with timestamp +137 Ready to process requests. NOW I REQUEST maxA TO HAVE ACCESS TO A CUSTOMER B MACHINE (NOT ALLOWED) rad_recv: Access-Request packet from host 10.10.10.232 port 41485, id=116, length=62 User-Name = "maxA" User-Password = "pippo" NAS-IP-Address = 10.10.9.2 NAS-Port = 1 Framed-Protocol = PPP # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 56 [preprocess] expand: %{NAS-IP-Address} -> 10.10.9.2 [preprocess] expand: %{NAS-IP-Address} -> 10.10.9.2 [preprocess] hints: Matched DEFAULT at 66 [preprocess] expand: %{NAS-IP-Address} -> 10.10.9.2 [preprocess] hints: Matched DEFAULT at 89 [preprocess] hints: Matched DEFAULT at 128 ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.10.10.232/auth-detail-20110613 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.10.10.232/auth-detail-20110613 [auth_log] expand: %t -> Mon Jun 13 15:13:20 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [files] users: Matched entry maxA at line 70 [files] users: Matched entry DEFAULT at line 73 ++[files] returns ok rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. Login OK: [maxA/pippo] (from client itf_test port 1) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 116 to 10.10.10.232 port 41485 Finished request 1. Going to the next request Cleaning up request 1 ID 116 with timestamp +209 Ready to process requests. Thanks for the attention and forgive my not-so-good english, Denis -- \ __ __ _* _\ \__\ \ \ _\ \/ \_\ \__ \ \ \__ \\ -> Registered Linux User # 372295 -BEGIN GEEK CODE BLOCK- Version: 3.1 GCS/CM d--- s:+: a-- C+++ UL+++S E--- W+(-) N o+ w--- O? M-- PS+ PE Y+ PGP t+(++) 5? X- R* tv-- b+ DI+ D G+ e h! r++ y* --END GEEK CODE BLOCK-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html