eap_ttls: ERROR: TLS Alert write:fatal:bad record mac
Alan DeKok
aland at deployingradius.com
Sat Jun 1 14:04:20 CEST 2019
On Jun 1, 2019, at 5:57 AM, Fredrik Lundhag <fredrik at flattr.com> wrote:
>
> After a random interval (hours) our wifi clients gets disconnected after this log entry:
>
> ```
> May 24 09:28:15 gra1-radius-01 : (205) Login incorrect (eap_ttls: TLS Alert write:fatal:bad record mac): [jolt] (from client Flattr port 85 cli 784f434d22ba)
> May 24 09:28:15 gra1-radius-01 : (205) eap_ttls: ERROR: TLS Alert write:fatal:bad record mac
> ```
Some magic crypto parameter is wrong. :( That's the best non-technical explanation.
The message is being produced by FreeRADIUS (via OpenSSL), when it tries to decode the packet from the client. It means that the packet is bad, and that OpenSSL won't continue to run the TLS setup.
There really isn't anything you can do here. Just have the user try again.
> I have tried to search for others with this issue, but can't find much that seems related, I have set `tls_max_version = "1.2"` (to not trigger any tls1.3 bugs) but the issue still occurs.
FreeRADIUS doesn't use TLS 1.3. And the EAP-TLS transports for TLS 1.3 aren't yet defined. So no supplicant on the market implements TLS 1.3.
Alan DeKok.
More information about the Freeradius-Users
mailing list