EAP-TLS Fragmentation Error

Nikita Borisenkov bna at sunlink.ru
Fri Feb 28 13:27:13 CET 2020


> Hi Gang,
>
> I get the following auth failure for machines connecting wirelessly through a Cisco AP-1142N:
>
>> eap: Calling submodule eap_tls to process data
>> eap_tls: Continuing EAP-TLS
>> eap_tls: Peer indicated complete TLS record size will be 31 bytes
>> eap_tls: Got complete TLS record (31 bytes)
>> eap_tls: [eaptls verify] = length included
>> eap_tls: <<< recv TLS 1.2  [length 0002]
>> eap_tls: ERROR: TLS Alert read:fatal:access denied
>> eap_tls: SSL_read Error
>> eap_tls: ERROR: Error in fragmentation logic
>> eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied
>> eap_tls: ERROR: [eaptls process] = fail
>> eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed
>> eap: Sending EAP Failure (code 4) ID 12 length 4
> There appears to be no method to this madness. Same setup[1] at our auxiliary site and everything works fine.
>
> I don't know how to interpret this error, so looking for a root cause has so far escaped me. Some of our Windows 10 workstations connect without any problems, some won't. The only obvious difference between those two locations is the model of Cisco WAP involved. Could this be an authenticator issue?
>
> Any pointers greatly appreciated!
>
> Mike
>
> [1] v.3.0.17 on Debian 10.3
>
it would be great to see the full debug output, but it looks like the 
EAP-Message attribute from the radius client contains TLS Alert 
"eap_tls: <<< recv TLS 1.2 [length 0002]" with error code 49 (access 
denied).

Instead of alert, the client should send Client Hello.



More information about the Freeradius-Users mailing list