Thanks a lot Fredriksson. I managed to start radius daemon successfully with your suggestions, now my next problem to test user authentication from Active directory. Using ntlm_auth I can test user authentication. When I do following -
radtest ActDirectUser ActDirectUserPassword 127.0.0.1 1812 testing123 Sending Access-Request of id 178 to 127.0.0.1 port 1812 User-Name = "ActDirectUser" User-Password = "ActDirectUserPassword" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=178, length=20 And when I use IP address x.x.x.x in place of 127.0.0.1, requests are kept on being resent and ultimately I get " radclient: no response from server for ID nnn" Need more help. THANKS -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Turbo Fredriksson Sent: Monday, September 10, 2007 2:06 PM To: freeradius-users@lists.freeradius.org Subject: Re: Freeradius+Active directory - router login authentciation Quoting "Rakesh Jha" <[EMAIL PROTECTED]>: I'm far from an expert in FreeRADIUS (so take what I say with a grane of salt), but I instantly noticed this. > tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" > tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" > tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" > tls: check_cert_cn = "(null)" > tls: cipher_list = "(null)" > tls: check_cert_issuer = "(null)" > rlm_eap_tls: Loading the certificate file as a chain > rlm_eap_tls: Unable to open DH file - (null) > rlm_eap: Failed to initialize type tls It can't open the 'DH file' (don't quite know which one that is), but I would assume that it's some (or maybe all?) of the first three files. Do they exist? Does the freeradius daemon have the right to _read_ those files (are you running the daemon under some user _not_ root). I run (default in Debian GNU/Linux) the daemon under the 'freerad' user so this user must be able to read the files mentioned (AND have the right to access all directory paths before it). Also, the 'check_cert_cn' is empty. If you don't use it, uncomment it in the config file. probably goes for the options 'check_cert_cn' and 'check_cert_issuer' to. I DO use them, and my eap.conf file looks like this: ----- s n i p ----- celia:~# egrep 'check_cert_issuer|check_cert_cn|cipher_list' /etc/freeradius/eap.conf check_cert_issuer = "<see below>" check_cert_cn = %{User-Name} cipher_list = "DEFAULT" ----- s n i p ----- The 'check_cert_issuer' value is a little personal (something I wouldn't want to post to the 'Net) but is the value found in the 'subject' line when running the command: openssl x509 -subject -noout -in <cacert> ----- s n i p ----- celia:~# openssl x509 -subject -noout -in /etc/ssl/CA/cacert.pem subject= <secret> ----- s n i p ----- > radiusd.conf[10]: eap: Module instantiation failed. > radiusd.conf[1962] Unknown module "eap". > radiusd.conf[1909] Failed to parse authenticate section. These will probably go away once you have fixed the tls parts above... > As you have written 'as are most "helpful" pages not on freeradius.org', > can you please suggest some links which guide correctly to configure > radius, openssl and active directory. I think Alan is a little 'judgmental' (wrong choice, but I can't quite get the exact translation of what I meant) if here. I would to if (since!) people don't think for them self and only follow external 'documentation' by the letter without trying to actually understand what it means... Following ANY documentation require UNDERSTANDING! Not HOW, but WHY ('... a certain option is used with a special value'). DISCLAIMER (before Alan slaps me :): I'm in no way better my self - I'm lousy in reading documentation. I only read a little here and a little there, but I (almost) always understand the parts that I DO read :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Attention: Any non-official business related views, opinions and other information presented in this electronic mail are solely those of the sender/author. Burgan Bank does not endorse or accept responsibility for their opinions. If you are not the addressed indicated in this mail or responsible for delivering this message to the intended, you should delete this message and notify the sender immediately. ------------------------------------------------------- Burgan Bank S.A.K www.burgan.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html