This is a new installation using openssl0.98j and freeradius 2.1.3. I get this error when running in debug mode: radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol: SSL_CTX_set_info_callback
prior to running in debug mode, I ran ./bootstrap under freeradius/certs directory. The output: radius02:/etc/freeradius/certs# ./bootstrap openssl dhparam -out dh 1024 Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ........................................................................................................................................................................................................................+.........................+..............+................+....+.......+................................................+.....................................................................++*++*++* openssl req -new -out server.csr -keyout server.key -config ./server.cnf Generating a 2048 bit RSA private key ..........+++ .......+++ writing new private key to 'server.key' ----- openssl req -new -x509 -keyout ca.key -out ca.pem \ -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf Generating a 2048 bit RSA private key .......+++ ..................................................................................................................................+++ writing new private key to 'ca.key' ----- openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf Using configuration from ./server.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Mar 11 04:59:02 2009 GMT Not After : Mar 11 04:59:02 2010 GMT Subject: countryName = FR stateOrProvinceName = Radius organizationName = Example Inc. commonName = Example Server Certificate emailAddress = ad...@example.com X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Mar 11 04:59:02 2010 GMT (365 days) Write out database with 1 new entries Data Base Updated openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der radiusd -X output: FreeRADIUS Version 2.1.3, for host i686-pc-linux-gnu, built on Mar 11 2009 at 14:14:37 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/roles_search including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/patient_search including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/people_search including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/svmhsradius02.stvincents.com.au including configuration file /etc/freeradius/sites-available/default including dictionary file /etc/freeradius/dictionary main { prefix = "/etc" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client 127.0.0.1 { require_message_authenticator = no secret = "testing123" shortname = "localhost" nastype = "other" } client 10.56.13.161 { require_message_authenticator = no secret = "itscadmin" shortname = "svhxvr01acs01" nastype = "cisco" } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_expr Module: Instantiating expr } radiusd: #### Loading Virtual Servers #### server virtual.example.com { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.pem" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol: SSL_CTX_set_info_callback —-------------------------------------------------------------------------------------------------------------------------- ** other configuration files... eap.conf: # -*- text -*- ## ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) ## ## $Id$ ####################################################################### # # Whatever you do, do NOT set 'Auth-Type := EAP'. The server # is smart enough to figure this out on its own. The most # common side effect of setting 'Auth-Type := EAP' is that the # users then cannot use ANY other authentication method. # # eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 # Supported EAP-types # # We do NOT recommend using EAP-MD5 authentication # for wireless connections. It is insecure, and does # not provide for dynamic WEP keys. # md5 { } # Cisco LEAP # # We do not recommend using LEAP in new deployments. See: # http://www.securiteam.com/tools/5TP012ACKE.html # leap { } # Proxying the tunneled EAP-GTC session is a bad idea, # the users password will go over the wire in plain-text, # for anyone to see. # gtc { auth_type = PAP } ## EAP-TLS # # If OpenSSL was not found at the time the server was # built, the "tls", "ttls", and "peap" sections will # be ignored. # # tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh # random_file = ${certdir}/random random_file = /dev/urandom # fragment_size = 1024 # include_length = yes # check_crl = yes # CA_path = /path/to/directory/with/ca_certs/and/crls/ # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" # check_cert_cn = %{User-Name} # cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no lifetime = 24 # hours max_entries = 255 } } # The TTLS module implements the EAP-TTLS protocol, # which can be described as EAP inside of Diameter, # inside of TLS, inside of EAP, inside of RADIUS... # # You can make TTLS require a client cert by setting # # EAP-TLS-Require-Client-Cert = Yes # # in the control items for a request. # ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } ################################################## # # !!!!! WARNINGS for Windows compatibility !!!!! # ################################################## # # If you see the server send an Access-Challenge, # and the client never sends another Access-Request, # then # # STOP! # # The server certificate has to have special OID's # in it, or else the Microsoft clients will silently # fail. See the "scripts/xpextensions" file for # details, and the following page: # # http://support.microsoft.com/kb/814394/en-us # # For additional Windows XP SP2 issues, see: # # http://support.microsoft.com/kb/885453/en-us # # Note that we do not necessarily agree with their # explanation... but the fix does appear to work. # ################################################## # You can make PEAP require a client cert by setting # # EAP-TLS-Require-Client-Cert = Yes # # in the control items for a request. # peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no # proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } # Note also that in order for this sub-module to work, # the main 'mschap' module MUST ALSO be configured. # mschapv2 { } } sites-enabled/default: ###################################################################### # # As of 2.0.0, FreeRADIUS supports virtual hosts using the # "server" section, and configuration directives. # # Virtual hosts should be put into the "sites-available" # directory. Soft links should be created in the "sites-enabled" # directory to these files. This is done in a normal installation. # # $Id$ # ###################################################################### # # Read "man radiusd" before editing this file. See the section # titled DEBUGGING. It outlines a method where you can quickly # obtain the configuration you want, without running into # trouble. See also "man unlang", which documents the format # of this file. # ###################################################################### authorize { preprocess # auth_log chap mschap suffix # ntdomain eap { ok = return } # unix files roles_search people_search patient_search # daily # checkval # expiration # logintime # pap # Autz-Type Status-Server { # # } } # Authentication. # authenticate { # Auth-Type PAP { # pap # } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } # Auth-Type LDAP { # ldap # } eap } # # Pre-accounting. Decide which accounting type to use. # preacct { preprocess acct_unique # IPASS suffix # ntdomain files } # # Accounting. Log the accounting data. # accounting { # preprocess detail # daily unix radutmp # sradutmp # main_pool # pgsql-voip # attr_filter.accounting_response # Acct-Type Status-Server { # # } } session { radutmp } # Post-Authentication post-auth { # main_pool # reply_log # sql # sql_log # ldap # exec # Post-Auth-Type REJECT { # attr_filter.access_reject # } } pre-proxy { # attr_rewrite # files # attr_filter.pre-proxy # pre_proxy_log } post-proxy { # post_proxy_log # attr_rewrite # attr_filter.post-proxy # eap # Post-Proxy-Type Fail { # detail # } } cheers Peter ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents & Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ********************************************************************** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html