14 Sep
2021
14 Sep
'21
8:33 a.m.
We don't use the default TLS config, and have this defined explicitly here: https://github.com/ministryofjustice/network-access-control-server/blob/main/radius/sites-enabled/radsec#L22 While debugging this, I set the tls_min_version to TLSv1.0, but this didn't make a difference sadly. Looked at the logs from the AP (Aruba 305), and the only error message is: Sep 14 12:22:26 stm[5602]: <124026> <WARN> |AP 24:f2:7f:c7:7d:ee@192.168.0.38 stm| tcp connected to nac-radsec-production (51.149.xx.xx:2083), socket 0x226a7ec, socket id 20 Sep 14 12:22:26 stm[5602]: <199802> <ERRS> |AP 24:f2:7f:c7:7d:ee@192.168.0.38 stm| rc_rad_tls.c, RadsecTLSNegotiationHandler:599: Failed to open TLS socket error error:00000001:lib(0):func(0):reason(1) Sep 14 12:22:26 stm[5602]: <199802> <ERRS> |AP 24:f2:7f:c7:7d:ee@192.168.0.38 stm| rc_rad_tls.c, RadsecTLSNegotiationHandler:601: calling cleanup for 51.149.xx.xx Sep 14 12:22:26 stm[5602]: <199802> <ERRS> |AP 24:f2:7f:c7:7d:ee@192.168.0.38 stm| rc_rad_tls.c, radsec_start_connection_retry_timer:144: radsec_start_connection_retry_timer: Connection to server nac-radsec-production failed or disconnected Also did a packet capture on the server for a radsec request, but couldn't find anything that points me in the direction of a fix. Thanks, Emile On Tue, Sep 14, 2021 at 1:23 PM Josef Vybíhal <josef.vybihal@gmail.com> wrote: > Just a guess. Does the other side support TLSv1.2? > > > https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-available/tls#L306 > > P. > > On Tue, Sep 14, 2021 at 2:12 PM Emile Swarts <emile.swarts123@gmail.com> > wrote: > > > I recently upgraded Alpine from v3.12 to v3.14. > > > > Noticed that Radsec stopped working, and the only error message I get in > > the server logs is "(0) FAILED in TLS handshake receive". Switching back > to > > v3.12 fixes the issue and the AP is able to establish the Radsec tunnel > and > > do the authentication. > > > > I'm currently looking through all the dependencies that upgraded as part > of > > the OS upgrade but it's difficult to pinpoint which one broke Radsec. > Noted > > that openssl has stayed on the same version. > > > > FreeRadius versions went from: > > freeradius-lib-3.0.21-r3 > > freeradius-3.0.21-r3 > > freeradius-eap-3.0.21-r3 > > > > To: > > freeradius-lib-3.0.23-r0 > > freeradius-3.0.23-r0 > > freeradius-eap-3.0.23-r0 > > > > The rest of the package upgrades can be found here: > > https://gist.github.com/emileswarts/fd7d46556eacac096d318170aea7a19d > > > > Does anyone have any pointers on how to narrow down this bug? > > > > Thanks, > > Emile > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html