Q:
why controller is unable to establish TLS session with radsecproxy?
A:
When the Radsecproxy is introduced between controller and free Radius server to proxy the Radius request, the controller is unable to establish TLS tunnel with radsecproxy.
The below error messages is been observed when the issue occurs.
Dec 11 15:48:45 :124004: <DBUG> |authmgr| Auth GSM: Num dev_id_cache entries aged = 0
Dec 11 15:48:48 :124004: <DBUG> |authmgr| Starting SSL connection to server radsec.nwag.lab
Dec 11 15:48:48 :124004: <DBUG> |authmgr| tac_connect: connected to 10.65.240.254.
Dec 11 15:48:48 :124004: <DBUG> |authmgr| TCP connect success on socket 63
Dec 11 15:48:48 :124004: <DBUG> |authmgr| Setting keepalive options for socket 63
Dec 11 15:48:48 :199802: <ERRS> |authmgr| radsec.c, RadsecTLSNegotiationHandler:940: Failed to open TLS socket error for server radsec.nwag.lab
Dec 11 15:48:48 :124004: <DBUG> |authmgr| Cleaning up socket 63
Dec 11 15:48:48 :199802: <ERRS> |authmgr| radsec.c, radsec_start_connection_retry_timer_for_socket:550: Failed to establish TLS connection with server radsec.nwag.lab. Starting a retry...
Dec 11 15:48:49 :124004: <DBUG> |authmgr| Starting SSL connection to server radsec.nwag.lab
Dec 11 15:48:49 :124004: <DBUG> |authmgr| tac_connect: connected to 10.65.240.254.
Dec 11 15:48:49 :124004: <DBUG> |authmgr| TCP connect success on socket 63
Dec 11 15:48:49 :124004: <DBUG> |authmgr| Setting keepalive options for socket 63
Dec 11 15:48:49 :199802: <ERRS> |authmgr| radsec.c, RadsecTLSNeg
Found that the Radsecproxy is using TLS 1.0 to establish the tunnel which is NOT supported by Aruba Radsec.
By tweaking the setting in Radsecproxy to negotiate it to TLS 1.2 the tunnel established successfully.
In specific:
Edit the file /root/radsecproxy-1.6.6/tlscommon.c and replace TLSv1_method() with TLSv1_1_method()
#ifdef RADPROT_TLS
case RAD_TLS:
ctx = SSL_CTX_new(TLSv1_1_method()); <----------------------
compile the code (./configure, make and make install)