Radsec Regression Alpine 3.14

Emile Swarts emile.swarts123 at gmail.com
Tue Sep 14 14:33:07 CEST 2021 

We don't use the default TLS config, and have this defined explicitly here:
https://github.com/ministryofjustice/network-access-control-server/blob/main/radius/sites-enabled/radsec#L22
While debugging this, I set the tls_min_version to TLSv1.0, but this didn't
make a difference sadly.

Looked at the logs from the AP (Aruba 305), and the only error message is:

Sep 14 12:22:26  stm[5602]: <124026> <WARN> |AP
24:f2:7f:c7:7d:ee at 192.168.0.38 stm|  tcp connected to
nac-radsec-production (51.149.xx.xx:2083), socket 0x226a7ec, socket id
20
Sep 14 12:22:26  stm[5602]: <199802> <ERRS> |AP
24:f2:7f:c7:7d:ee at 192.168.0.38 stm|  rc_rad_tls.c,
RadsecTLSNegotiationHandler:599: Failed to open TLS socket error
error:00000001:lib(0):func(0):reason(1)
Sep 14 12:22:26  stm[5602]: <199802> <ERRS> |AP
24:f2:7f:c7:7d:ee at 192.168.0.38 stm|  rc_rad_tls.c,
RadsecTLSNegotiationHandler:601: calling cleanup for 51.149.xx.xx
Sep 14 12:22:26  stm[5602]: <199802> <ERRS> |AP
24:f2:7f:c7:7d:ee at 192.168.0.38 stm|  rc_rad_tls.c,
radsec_start_connection_retry_timer:144:
radsec_start_connection_retry_timer: Connection to server
nac-radsec-production failed or disconnected

Also did a packet capture on the server for a radsec request, but
couldn't find anything that points me in the direction of a fix.

Thanks,

Emile





On Tue, Sep 14, 2021 at 1:23 PM Josef Vybíhal <josef.vybihal at gmail.com>
wrote:

> Just a guess. Does the other side support TLSv1.2?
>
>
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-available/tls#L306
>
> P.
>
> On Tue, Sep 14, 2021 at 2:12 PM Emile Swarts <emile.swarts123 at gmail.com>
> wrote:
>
> > I recently upgraded Alpine from v3.12 to v3.14.
> >
> > Noticed that Radsec stopped working, and the only error message I get in
> > the server logs is "(0) FAILED in TLS handshake receive". Switching back
> to
> > v3.12 fixes the issue and the AP is able to establish the Radsec tunnel
> and
> > do the authentication.
> >
> > I'm currently looking through all the dependencies that upgraded as part
> of
> > the OS upgrade but it's difficult to pinpoint which one broke Radsec.
> Noted
> > that openssl has stayed on the same version.
> >
> > FreeRadius versions went from:
> > freeradius-lib-3.0.21-r3
> > freeradius-3.0.21-r3
> > freeradius-eap-3.0.21-r3
> >
> > To:
> > freeradius-lib-3.0.23-r0
> > freeradius-3.0.23-r0
> > freeradius-eap-3.0.23-r0
> >
> > The rest of the package upgrades can be found here:
> > https://gist.github.com/emileswarts/fd7d46556eacac096d318170aea7a19d
> >
> > Does anyone have any pointers on how to narrow down this bug?
> >
> > Thanks,
> > Emile
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list