eap_ttls: ERROR: TLS Alert write:fatal:bad record mac

Fredrik Lundhag fredrik at flattr.com
Sat Jun 1 11:57:52 CEST 2019 

Hey guys, 

After a random interval (hours) our wifi clients gets disconnected after this log entry:

```
May 24 09:28:15 gra1-radius-01 :   (205) Login incorrect (eap_ttls: TLS Alert write:fatal:bad record mac): [jolt] (from client Flattr port 85 cli 784f434d22ba)
May 24 09:28:15 gra1-radius-01 :   (205) eap_ttls: ERROR: TLS Alert write:fatal:bad record mac
```

This is on Alpine 3.9 with freeradius-eap-3.0.17-r5, and openssl-1.1.1b-r1. This is my first time setting this up, so bear with me. I'm running this together with an Asus router with EAP-TTLS and having mainly macbooks in this office. 

I have tried to search for others with this issue, but can't find much that seems related, I have set `tls_max_version = "1.2"` (to not trigger any tls1.3 bugs) but the issue still occurs.

## Output of ``[radiusd|freeradius] -fxx -l stdout`` if using eg RADIUS with TLS)

```text
Waking up in 0.3 seconds.
Thread 4 got semaphore
Thread 4 handling request 231, (47 handled so far)
(231) Received Access-Request Id 2 from 172.16.48.214:48268 to 172.16.54.20:1812 length 197
(231)   User-Name = "jolt"
(231)   NAS-IP-Address = 172.16.48.214
(231)   Called-Station-Id = "40b076368a34"
(231)   Calling-Station-Id = "784f434d22ba"
(231)   NAS-Identifier = "40b076368a34"
(231)   NAS-Port = 85
(231)   Framed-MTU = 1400
(231)   State = 0x63de82e165d997993bc43b07e7488f96
(231)   NAS-Port-Type = Wireless-802.11
(231)   EAP-Message = 0x020700431580000000391703030034e3e40e58ae7f7295d08781537dec10239ab8dc0c805e653756f82652fbb22f2840139d3800015443f177ff4266a1afcafaf4f27a
(231)   Message-Authenticator = 0x4ebdb0708a803b03cc27cd1f666e128a
(231) session-state: No cached attributes
(231) # Executing section authorize from file /etc/raddb/sites-enabled/default
(231)   authorize {
(231) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(231) auth_log:    --> /var/log/radius/radacct/172.16.48.214/auth-detail-20190528
(231) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.16.48.214/auth-detail-20190528
(231) auth_log: EXPAND %t
(231) auth_log:    --> Tue May 28 09:27:49 2019
(231)     [auth_log] = ok
(231) eap: Peer sent EAP Response (code 2) ID 7 length 67
(231) eap: Continuing tunnel setup
(231)     [eap] = ok
(231)   } # authorize = ok
(231) Found Auth-Type = eap
(231) # Executing group from file /etc/raddb/sites-enabled/default
(231)   authenticate {
(231) eap: Expiring EAP session with state 0x7833efcb7832e926
(231) eap: Finished EAP session with state 0x63de82e165d99799
(231) eap: Previous EAP request found for state 0x63de82e165d99799, released from the list
(231) eap: Peer sent packet with method EAP TTLS (21)
(231) eap: Calling submodule eap_ttls to process data
(231) eap_ttls: Authenticate
(231) eap_ttls: Continuing EAP-TLS
(231) eap_ttls: Peer indicated complete TLS record size will be 57 bytes
(231) eap_ttls: Got complete TLS record (57 bytes)
(231) eap_ttls: [eaptls verify] = length included
(231) eap_ttls: >>> send TLS 1.2  [length 0002] 
(231) eap_ttls: ERROR: TLS Alert write:fatal:bad record mac
(231) eap_ttls: SSL_read Error
(231) eap_ttls: ERROR: Error in fragmentation logic
(231) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac
(231) eap_ttls: ERROR: System call (I/O) error (-1)
(231) eap_ttls: ERROR: [eaptls process] = fail
(231) eap: ERROR: Failed continuing EAP TTLS (21) session.  EAP sub-module failed
(231) eap: Sending EAP Failure (code 4) ID 7 length 4
(231) eap: Failed in EAP select
(231)     [eap] = invalid
(231)   } # authenticate = invalid
(231) Failed to authenticate the user
(231) Using Post-Auth-Type Reject
(231) # Executing group from file /etc/raddb/sites-enabled/default
(231)   Post-Auth-Type REJECT {
(231) attr_filter.access_reject: EXPAND %{User-Name}
(231) attr_filter.access_reject:    --> jolt
(231) attr_filter.access_reject: Matched entry DEFAULT at line 11
(231)     [attr_filter.access_reject] = updated
(231)     policy remove_reply_message_if_eap {
(231)       if (&reply:EAP-Message && &reply:Reply-Message) {
(231)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(231)       else {
(231)         [noop] = noop
(231)       } # else = noop
(231)     } # policy remove_reply_message_if_eap = noop
(231)   } # Post-Auth-Type REJECT = updated
(231) Delaying response for 1.000000 seconds
Thread 4 waiting to be assigned a request
Waking up in 0.6 seconds.
(231) Sending delayed response
(231) Sent Access-Reject Id 2 from 172.16.54.20:1812 to 172.16.48.214:48268 length 44
(231)   EAP-Message = 0x04070004
(231)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(231) Cleaning up request packet ID 2 with timestamp +330184
Ready to process requests
Waking up in 0.3 seconds.
Thread 3 got semaphore
Thread 3 handling request 232, (47 handled so far)
```

Any guesses?

-- 
Fredrik Lundhag
wire.com <http://wire.com/>: @jolt

More information about the Freeradius-Users mailing list