EAP-TLS Fragmentation Error
Hi Gang, I get the following auth failure for machines connecting wirelessly through a Cisco AP-1142N:
eap: Calling submodule eap_tls to process data eap_tls: Continuing EAP-TLS eap_tls: Peer indicated complete TLS record size will be 31 bytes eap_tls: Got complete TLS record (31 bytes) eap_tls: [eaptls verify] = length included eap_tls: <<< recv TLS 1.2 [length 0002] eap_tls: ERROR: TLS Alert read:fatal:access denied eap_tls: SSL_read Error eap_tls: ERROR: Error in fragmentation logic eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied eap_tls: ERROR: [eaptls process] = fail eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed eap: Sending EAP Failure (code 4) ID 12 length 4
There appears to be no method to this madness. Same setup[1] at our auxiliary site and everything works fine. I don't know how to interpret this error, so looking for a root cause has so far escaped me. Some of our Windows 10 workstations connect without any problems, some won't. The only obvious difference between those two locations is the model of Cisco WAP involved. Could this be an authenticator issue? Any pointers greatly appreciated! Mike [1] v.3.0.17 on Debian 10.3
On 28 February 2020 06:01:01 GMT, freeradius@lunchinglads.net wrote:
eap_tls: <<< recv TLS 1.2 [length 0002] eap_tls: ERROR: TLS Alert read:fatal:access denied
Check file permissions of the certificate and key (and parent directories) and make sure that the user FreeRADIUS runs as can read them.
There appears to be no method to this madness. Same setup[1] at our auxiliary site and everything works fine.
I'm guessing same file contents but different mode. -- Matthew
Ok. That was me having a senior moment. Our server got a brand new name with corresponding device cert/CN. Some of those Windows boxes were checking for the old name. I moved everything to the new setup, and the problem is gone. Thanks, guys, for looking into this for me. Bests, Mike -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+freeradius=machichemicals.com@lists.freeradius.org] On Behalf Of Matthew Newton Sent: Friday, February 28, 2020 4:47 AM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>; freeradius@lunchinglads.net Subject: Re: EAP-TLS Fragmentation Error On 28 February 2020 06:01:01 GMT, freeradius@lunchinglads.net wrote:
eap_tls: <<< recv TLS 1.2 [length 0002] eap_tls: ERROR: TLS Alert read:fatal:access denied
Check file permissions of the certificate and key (and parent directories) and make sure that the user FreeRADIUS runs as can read them.
There appears to be no method to this madness. Same setup[1] at our auxiliary site and everything works fine.
I'm guessing same file contents but different mode. -- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Gang,
I get the following auth failure for machines connecting wirelessly through a Cisco AP-1142N:
eap: Calling submodule eap_tls to process data eap_tls: Continuing EAP-TLS eap_tls: Peer indicated complete TLS record size will be 31 bytes eap_tls: Got complete TLS record (31 bytes) eap_tls: [eaptls verify] = length included eap_tls: <<< recv TLS 1.2 [length 0002] eap_tls: ERROR: TLS Alert read:fatal:access denied eap_tls: SSL_read Error eap_tls: ERROR: Error in fragmentation logic eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied eap_tls: ERROR: [eaptls process] = fail eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed eap: Sending EAP Failure (code 4) ID 12 length 4 There appears to be no method to this madness. Same setup[1] at our auxiliary site and everything works fine.
I don't know how to interpret this error, so looking for a root cause has so far escaped me. Some of our Windows 10 workstations connect without any problems, some won't. The only obvious difference between those two locations is the model of Cisco WAP involved. Could this be an authenticator issue?
Any pointers greatly appreciated!
Mike
[1] v.3.0.17 on Debian 10.3
it would be great to see the full debug output, but it looks like the EAP-Message attribute from the radius client contains TLS Alert "eap_tls: <<< recv TLS 1.2 [length 0002]" with error code 49 (access denied). Instead of alert, the client should send Client Hello.
participants (4)
-
freeradius@lunchinglads.net -
Matthew Newton -
Mike Ruebner -
Nikita Borisenkov