Here is an interesting problem that has me banging my head in frustration
We have a student on eduroam with 3 devices, an android phone, an Ipad and a Windows 10 Surface device
When the student is on campus, all 3 devices associate to eduroam and can use all our network resources as they should.
When the student is away at another university, they start to hit issues with the Win 10 laptop.
The Ipad can roam just fine
The android phone can roam fine
The Surface will not connect to eduroam at all
If I look in access tracker, I can see authentication failed with the following message
Error Code: | 215 |
Error Category: | Authentication failure |
Error Message: | TLS session error |
Alerts for this RequestRADIUS | EAP-PEAP: fatal alert by client - access_denied TLS session reuse error |
|
Initially I was thinking that it was a Win 10 issue, but we have successfully been able to roam via eduroam on the same device using another test account, so that rules out Win 10.
It can't be an account issue as the user would not be able to connect or roam on their other 2 devices, they can, so the account is OK
If I look in the logs I can see the following, an SSL error which leads to an invalid tunnel
2017-05-05 10:05:01,836 | [RequestHandler-1-0x7fe2da1f0700 r=psauto-1484427338-1283585 h=127 r=R0009cd03-04-590c403d] INFO Core.ServiceReqHandler - Service classification result = Eduroam 802.1x Roaming User Authentication |
2017-05-05 10:05:01,862 | [Th 51 Req 4395619 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Eduroam 802.1x Roaming User Authentication" - 137:380:985FD3D276C3 |
2017-05-05 10:05:01,863 | [Th 51 Req 4395619 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A |
2017-05-05 10:05:01,863 | [Th 51 Req 4395619 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A |
2017-05-05 10:05:01,864 | [Th 51 Req 4395619 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 137:1145:985FD3D276C3:ACQA3QDnAFhjEkMAJNQLQtiQsaC7jWYUQFx09A== |
2017-05-05 10:05:01,882 | [Th 59 Req 4395620 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Eduroam 802.1x Roaming User Authentication" - 139:204:985FD3D276C3 |
2017-05-05 10:05:01,883 | [Th 59 Req 4395620 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 139:1141:985FD3D276C3:AHgA5gBGAFFkEkMAYkDPaCQmS07OEeg9gEfBFw== |
2017-05-05 10:05:01,902 | [Th 53 Req 4395621 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Eduroam 802.1x Roaming User Authentication" - 154:204:985FD3D276C3 |
2017-05-05 10:05:01,902 | [Th 53 Req 4395621 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 154:1141:985FD3D276C3:AHYAjwC3ABBlEkMAUPuXRTJw0B4eF9dYYXQl7g== |
2017-05-05 10:05:01,922 | [Th 57 Req 4395622 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Eduroam 802.1x Roaming User Authentication" - 138:204:985FD3D276C3 |
2017-05-05 10:05:01,922 | [Th 57 Req 4395622 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 138:1141:985FD3D276C3:AFQAnQAfABxmEkMAK+vwsUb1BafpTAoSbNceUA== |
2017-05-05 10:05:01,941 | [Th 54 Req 4395623 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Eduroam 802.1x Roaming User Authentication" - 75:205:985FD3D276C3 |
2017-05-05 10:05:01,942 | [Th 54 Req 4395623 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 75:966:985FD3D276C3:AGUAPQCOAG5nEkMANtAIRufcum+otX9Z6tj6eg== |
2017-05-05 10:05:01,963 | [Th 56 Req 4395624 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Eduroam 802.1x Roaming User Authentication" - 136:334:985FD3D276C3 |
2017-05-05 10:05:01,963 | [Th 56 Req 4395624 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 136:160:985FD3D276C3:AFEAmgCPAEhoEkMAe/hl5rVHaRMBp6JhtEKFzg== |
2017-05-05 10:05:02,040 | [Th 55 Req 4395625 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Eduroam 802.1x Roaming User Authentication" - 161:239:985FD3D276C3 |
2017-05-05 10:05:02,040 | [Th 55 Req 4395625 SessId R0009cd03-04-590c403d] ERROR RadiusServer.Radius - TLS Alert read:fatal:access denied |
2017-05-05 10:05:02,040 | [Th 55 Req 4395625 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_eap_tls: No data inside of the tunnel. |
2017-05-05 10:05:02,040 | [Th 55 Req 4395625 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_eap_peap: No data inside of the tunnel. |
We have removed all relevant certs and have recreated her profile but we still have this issue - any ideas on how to fix this?