Controller Based WLANs

why controller is unable to establish TLS session with radsecproxy?

Q:

why controller is unable to establish TLS session with radsecproxy?



A:

When the Radsecproxy is introduced between controller and free Radius server to proxy the Radius request, the controller is unable to establish TLS tunnel with radsecproxy.

The below error messages is been observed when the issue occurs.

 

Dec 11 15:48:45 :124004:  <DBUG> |authmgr|  Auth GSM: Num dev_id_cache entries aged = 0
Dec 11 15:48:48 :124004:  <DBUG> |authmgr|  Starting SSL connection to server radsec.nwag.lab
Dec 11 15:48:48 :124004:  <DBUG> |authmgr|  tac_connect: connected to 10.65.240.254.
Dec 11 15:48:48 :124004:  <DBUG> |authmgr|  TCP connect success on socket 63
Dec 11 15:48:48 :124004:  <DBUG> |authmgr|  Setting keepalive options for socket 63
Dec 11 15:48:48 :199802:  <ERRS> |authmgr|  radsec.c, RadsecTLSNegotiationHandler:940: Failed to open TLS socket error for server radsec.nwag.lab
Dec 11 15:48:48 :124004:  <DBUG> |authmgr|  Cleaning up socket 63
Dec 11 15:48:48 :199802:  <ERRS> |authmgr|  radsec.c, radsec_start_connection_retry_timer_for_socket:550: Failed to establish TLS connection with server radsec.nwag.lab. Starting a retry...
Dec 11 15:48:49 :124004:  <DBUG> |authmgr|  Starting SSL connection to server radsec.nwag.lab
Dec 11 15:48:49 :124004:  <DBUG> |authmgr|  tac_connect: connected to 10.65.240.254.
Dec 11 15:48:49 :124004:  <DBUG> |authmgr|  TCP connect success on socket 63
Dec 11 15:48:49 :124004:  <DBUG> |authmgr|  Setting keepalive options for socket 63
Dec 11 15:48:49 :199802:  <ERRS> |authmgr|  radsec.c, RadsecTLSNeg

Found that the Radsecproxy is using TLS 1.0 to establish the tunnel which is NOT supported by Aruba Radsec.

By tweaking the setting in Radsecproxy to negotiate it to TLS 1.2 the tunnel established successfully.

 

In specific:

 

Edit the file /root/radsecproxy-1.6.6/tlscommon.c and replace  TLSv1_method() with TLSv1_1_method()  

 

#ifdef RADPROT_TLS
case RAD_TLS:
ctx = SSL_CTX_new(TLSv1_1_method());  <----------------------

 

compile the code (./configure, make and make install)

Version history
Revision #:
4 of 4
Last update:
‎06-02-2016 08:51 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.