EAP-TLS Fragmentation Error

freeradius at lunchinglads.net freeradius at lunchinglads.net
Fri Feb 28 07:01:01 CET 2020

Hi Gang,

I get the following auth failure for machines connecting wirelessly through a Cisco AP-1142N:

> eap: Calling submodule eap_tls to process data
> eap_tls: Continuing EAP-TLS
> eap_tls: Peer indicated complete TLS record size will be 31 bytes
> eap_tls: Got complete TLS record (31 bytes)
> eap_tls: [eaptls verify] = length included
> eap_tls: <<< recv TLS 1.2  [length 0002]
> eap_tls: ERROR: TLS Alert read:fatal:access denied
> eap_tls: SSL_read Error
> eap_tls: ERROR: Error in fragmentation logic
> eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied
> eap_tls: ERROR: [eaptls process] = fail
> eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed
> eap: Sending EAP Failure (code 4) ID 12 length 4

There appears to be no method to this madness. Same setup[1] at our auxiliary site and everything works fine.

I don't know how to interpret this error, so looking for a root cause has so far escaped me. Some of our Windows 10 workstations connect without any problems, some won't. The only obvious difference between those two locations is the model of Cisco WAP involved. Could this be an authenticator issue?

Any pointers greatly appreciated!


[1] v.3.0.17 on Debian 10.3

More information about the Freeradius-Users mailing list