Re: help on OpenSUSE installation
mx5450, if I were you, I would think of changing the OS. I tried to use Suse for freeRADIUS installation and it didn't work. It has some exceptions and I wasn't able to find a work around. I'd suggest CentOS 5.2 or Ubuntu (last server version). They work fine wich freeRADIUS. regards, Bruno 2009/5/12 mx5450 mx5...@prodigy.net.mx Team, I'm trying to set up freeradius 2.1.4 in a AMD 64 X2 system with an OpenSUSE 11.1 (x86_64.iso) OS. I must tell you that I'm new to Linux and Freeradius. According to the instructions on freeradius.org/radiusd/install I can either: 1. Get a pre-installed binary package (Peter Nixon) 2. get the FreeRADIUS tarball When I try to get the binary package ( http://download.opensuse.org/repositories/network:/aaa/openSUSE_11.1/), I get a list of files/folders which I dont know what to do with them: i586/ network:aaa.repo repodata/ src/ x86_64/ As I got stuck, I tried to build it (? new term to me), by placing the tarball in usr/src/packages/SOURCES; extracting the freeradius.spec and placing it in usr/src/packages/SPECS. Then I run from the terminal prompt: rpmbuild -ba usr/src/packages/SPECS/ freeradius.spec However I got the message: mar...@win-219e0010bba:~ rpmbuild -ba /usr/src/packages/SPECS/freeradius.spec sh: apxs2-prefork: command not found sh: apxs2-prefork: command not found sh: apxs2-prefork: command not found error: Failed build dependencies: db-devel is needed by freeradius-server-2.1.4-0.x86_64 e2fsprogs-devel is needed by freeradius-server-2.1.4-0.x86_64 gcc-c++ is needed by freeradius-server-2.1.4-0.x86_64 gdbm-devel is needed by freeradius-server-2.1.4-0.x86_64 gettext-devel is needed by freeradius-server-2.1.4-0.x86_64 glibc-devel is needed by freeradius-server-2.1.4-0.x86_64 libtool is needed by freeradius-server-2.1.4-0.x86_64 ncurses-devel is needed by freeradius-server-2.1.4-0.x86_64 openldap2-devel is needed by freeradius-server-2.1.4-0.x86_64 openssl-devel is needed by freeradius-server-2.1.4-0.x86_64 pam-devel is needed by freeradius-server-2.1.4-0.x86_64 postgresql-devel is needed by freeradius-server-2.1.4-0.x86_64 python-devel is needed by freeradius-server-2.1.4-0.x86_64 unixODBC-devel is needed by freeradius-server-2.1.4-0.x86_64 zlib-devel is needed by freeradius-server-2.1.4-0.x86_64 apache2-devel is needed by freeradius-server-2.1.4-0.x86_64 cyrus-sasl-devel is needed by freeradius-server-2.1.4-0.x86_64 krb5-devel is needed by freeradius-server-2.1.4-0.x86_64 libapr1-devel is needed by freeradius-server-2.1.4-0.x86_64 libmysqlclient-devel is needed by freeradius-server-2.1.4-0.x86_64 mar...@win-219e0010bba:~ I read about this and regarding the dependencies it seems that some features are not installed and that I need the OpenSUSE disk to load them from the YAST. However I can not seem to find what the sh: apxs2-prefork: command not found message is about or how to fix that. I'm stuck again. Could you help with this? Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error binding to port for 0.0.0.0 port 1812
I really can't make it work on SUSE 11.0. I didn't find any information about it and there are no attempts left for me. I would like to know what destributions really handle freeRADIUS in a good manner. I think of CentOS 5.2, but do I really need to download 7 iso images to put it into work? Regards, Bruno 2009/3/24 t...@kalik.net Unfortunately, your suggestion didn't have any result. I'm using SUSE 11.0 OS... So, find SuSE maintainer and ask him. Do I have to initiate freeRADIUS through freeradius -X ? That's not likely to work either. radiusd is already running. Try good old: killall radiusd Then start it again (with -X or not). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error binding to port for 0.0.0.0 port 1812
Dawgs, I received the following error when starting debug mode or issuing freeradius reload and catching the error in radius.log: Tue Mar 24 16:16:05 2009 : Error: Failed binding to socket: Address already in use Tue Mar 24 16:16:05 2009 : Error: /etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812 I disabled IPv6 and verified if there is another service running on this port... RADIUS:~ # lsof -i:1812 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME radiusd 3568 root5u IPv4 10046 0t0 UDP *:1812 RADIUS:~ # netstat -unpl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp0 0 0.0.0.0:18120.0.0.0:* 3568/radiusd udp0 0 0.0.0.0:18130.0.0.0:* 3568/radiusd udp0 0 0.0.0.0:18140.0.0.0:* 3568/radiusd udp0 0 0.0.0.0:43956 0.0.0.0:* 2564/avahi-daemon: udp0 0 0.0.0.0:53530.0.0.0:* 2564/avahi-daemon: udp0 0 0.0.0.0:111 0.0.0.0:* 2347/portmap udp0 0 0.0.0.0:631 0.0.0.0:* 2663/cupsd According to the outputs above there is just one service running on this port... I don't know what else I can do. I saw all topics related to my problem but no one gave me a solution. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error binding to port for 0.0.0.0 port 1812
I didn't understand what you meant... I issued lsof and verified only one service running on 1812 port! 2009/3/24 Anders Holm anders.h...@sysadmin.ie No, you haven't stopped radius then. Only one service per port. man lsof if you're not sure which process is holding on to the port. Sent from my iPhone On 24 Mar 2009, at 20:12, Bruno Noronha bhnoro...@gmail.com wrote: Dawgs, I received the following error when starting debug mode or issuing freeradius reload and catching the error in radius.log: Tue Mar 24 16:16:05 2009 : Error: Failed binding to socket: Address already in use Tue Mar 24 16:16:05 2009 : Error: /etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812 I disabled IPv6 and verified if there is another service running on this port... RADIUS:~ # lsof -i:1812 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME radiusd 3568 root5u IPv4 10046 0t0 UDP *:1812 RADIUS:~ # netstat -unpl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp0 0 0.0.0.0:18120.0.0.0:* 3568/radiusd udp0 0 0.0.0.0:18130.0.0.0:* 3568/radiusd udp0 0 0.0.0.0:18140.0.0.0:* 3568/radiusd udp0 0 0.0.0.0:43956 0.0.0.0:* 2564/avahi-daemon: udp0 0 0.0.0.0:53530.0.0.0:* 2564/avahi-daemon: udp0 0 0.0.0.0:111 0.0.0.0:* 2347/portmap udp0 0 0.0.0.0:631 0.0.0.0:* 2663/cupsd According to the outputs above there is just one service running on this port... I don't know what else I can do. I saw all topics related to my problem but no one gave me a solution. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error binding to port for 0.0.0.0 port 1812
Unfortunately, your suggestion didn't have any result. I'm using SUSE 11.0 OS... Do I have to initiate freeRADIUS through freeradius -X ? 2009/3/24 t...@kalik.net I received the following error when starting debug mode or issuing freeradius reload and catching the error in radius.log: This is nothing to do with freeradius. People who made your distribution made that reload script. Find out who maintains freeradius for your distribution and ask them to look into it. You can always try: freeradius stop freeradius start That should work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error binding to port for 0.0.0.0 port 1812
Yes.. But this port is used just for freeradius!! That's why I can't figure out a solution for this... 2009/3/24 Alan DeKok al...@deployingradius.com Bruno Noronha wrote: I didn't understand what you meant... I issued lsof and verified only one service running on 1812 port! Which means you can't run *another* server on the same port. This is Unix 101. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
Sorry but what you said doesn't make any sense to me. The default config didn't work. How can you explain the same alarms even after changing the permissions to everyone? The message containing permission denied remains..It's strange, unless I have forgotten to change permission of a directory. I was expecting something like unsecure permissions which didn't happen. 2009/3/20 Alan DeKok al...@deployingradius.com Bruno Noronha wrote: I issued chmod 777 * in every directory related to freeradius. Don't do that. Ever. The server comes with a default configuration that WORKS. The only reason that it doesn't have permission to read those files is because YOU changed the configuration so that the server doesn't have permission. Why are so many people insistent on breaking the working configuration? Where else do we need to document DON'T BREAK IT ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
I don't think so.I'm using SUSE 11.0, is there any problem with that? 2009/3/20 t...@kalik.net Sorry but what you said doesn't make any sense to me. The default config didn't work. How can you explain the same alarms even after changing the permissions to everyone? The message containing permission denied remains..It's strange, unless I have forgotten to change permission of a directory. I was expecting something like unsecure permissions which didn't happen. Do you have something like selinux preventing access? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
There is nothing related to eap to comment out in these files... Should I create a certificate? Is it compulsory? 2009/3/20 sollunga sollu...@yahoo.com try commenting out the eap module in both radiusd.conf and sites-available/default, inner-tunnel, then try starting radiusd -X tnt-4 wrote: Sorry but what you said doesn't make any sense to me. The default config didn't work. How can you explain the same alarms even after changing the permissions to everyone? The message containing permission denied remains..It's strange, unless I have forgotten to change permission of a directory. I was expecting something like unsecure permissions which didn't happen. Do you have something like selinux preventing access? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Login-to-Cisco-devices-through-freeradius-tp22610096p22619667.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
Dawg, I have all default installation files. I read eap.conf and it seems to be okay, I either changed any file, including adding new users! Everything remains the same... I know that chmod 777 is not recommended. I did it just to make sure that what I have isn't a permission issue. Here is the output for id radiusd command: uid=108(radiusd) gid=109(radiusd) groups=109(radiusd) Reading this tutorial, http://wiki.freeradius.org/Cisco, it seems to be so simple! Is there any possibility of OS incompatibity with freeRADIUS? tks! 2009/3/20 a.l.m.bu...@lboro.ac.uk Hi, There is nothing related to eap to comment out in these files... Should I create a certificate? Is it compulsory? hang on - do you actually HAVE any EAP cert/CA files that you are referencing in eap.conf? read eap.conf - see what files it is trying to read (cert, CA , pkcs12, random, etc) and check you actually HAVE those files. if you have those files, then ensure that the permissions for the directory and files are suitable for reading - you DONT EVER want 777 with 777 i could own your server and take over your infrastructure - you only want read permissions on the files...for the relavant user that the freeradius daemon is running as (usually radiusd) what does id radiusd give as output? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
Leighton, tks for help me. I agree with you, the messages are a little bit confusing for me too. That's what I thought, problems wich permission. That's why I did chmod 777, even knowing that it's not recommended. After doing this, the issue persist...I'm using the newest available version of freeradius.org. Here follows the output of Makefile. /etc/raddb/certs/Makefile /etc/raddb/certs/Makefile: line 12: DH_KEY_SIZE: command not found grep: server.cnf: No such file or directory /etc/raddb/certs/Makefile: line 17: PASSWORD_SERVER: command not found grep: ca.cnf: No such file or directory /etc/raddb/certs/Makefile: line 18: PASSWORD_CA: command not found grep: client.cnf: No such file or directory /etc/raddb/certs/Makefile: line 19: PASSWORD_CLIENT: command not found grep: client.cnf: No such file or directory /etc/raddb/certs/Makefile: line 21: USER_NAME: command not found /etc/raddb/certs/Makefile: line 28: .PHONY:: command not found /etc/raddb/certs/Makefile: line 29: all:: command not found /etc/raddb/certs/Makefile: line 31: .PHONY:: command not found /etc/raddb/certs/Makefile: line 32: client:: command not found /etc/raddb/certs/Makefile: line 34: .PHONY:: command not found /etc/raddb/certs/Makefile: line 35: ca:: command not found /etc/raddb/certs/Makefile: line 37: .PHONY:: command not found /etc/raddb/certs/Makefile: line 38: server:: command not found /etc/raddb/certs/Makefile: line 45: dh:: command not found /etc/raddb/certs/Makefile: line 46: DH_KEY_SIZE: command not found And the outpug of ls -ls on certs directory: RADIUS:/etc/raddb/certs # ls -l total 104 -rwxrwxrwx 1 root root4210 Mar 17 10:49 01.pem -rwxrwxrwx 1 root root4441 Nov 19 14:20 Makefile -rwxrwxrwx 1 root root5343 Nov 19 14:20 README -rwxrwxrwx 1 root radiusd 462 Nov 19 14:20 bootstrap -rwxrwxrwx 1 root radiusd 1288 Nov 19 14:20 ca.cnf -rwxrwxrwx 1 root root1195 Mar 17 10:49 ca.der -rwxrwxrwx 1 root root1743 Mar 17 10:49 ca.key -rwxrwxrwx 1 root root1675 Mar 17 10:49 ca.pem -rwxrwxrwx 1 root radiusd 1109 Nov 19 14:20 client.cnf -rwxrwxrwx 1 root root 466 Mar 19 15:10 dh -rwxrwxrwx 1 root root 120 Mar 17 10:49 index.txt -rwxrwxrwx 1 root root 21 Mar 17 10:49 index.txt.attr -rwxrwxrwx 1 root root 0 Mar 17 10:49 index.txt.old -rwxrwxrwx 1 root root1024 Mar 19 15:11 random -rwxrwxrwx 1 root root 3 Mar 17 10:49 serial -rwxrwxrwx 1 root root 3 Mar 17 10:49 serial.old -rwxrwxrwx 1 root radiusd 1123 Nov 19 14:20 server.cnf -rwxrwxrwx 1 root root4210 Mar 17 10:49 server.crt -rwxrwxrwx 1 root root1062 Mar 17 10:49 server.csr -rwxrwxrwx 1 root root1743 Mar 17 10:49 server.key -rwxrwxrwx 1 root root2533 Mar 17 10:49 server.p12 -rwxrwxrwx 1 root root3495 Mar 17 10:49 server.pem -rwxrwxrwx 1 root root 578 Nov 19 14:20 xpextensions 2009/3/20 Leighton Man l.j@hud.ac.uk There is nothing related to eap to comment out in these files... Should I create a certificate? Is it compulsory? Hi, I've just struggled through all this so it's nice to try and help. Always take note of the FIRST error message in the debug. The later ones can be confusing if you don't understand what's going on. Your problem seems to be that the server can't read the certificate files. If they aren't there, it won't be able to. When I compiled freeradius it generated test certificates itself (after tweaking the Makefile). Are you using the latest version? You must have certificates to do SSL. They live in the raddb/certs directory. Regards, Leighton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
Thanks man, this commands solved my problem!! Bruno 2009/3/20 a.l.m.bu...@lboro.ac.uk Hi, RADIUS:/etc/raddb/certs # ls -l total 104 -rwxrwxrwx 1 root root4210 Mar 17 10:49 01.pem -rwxrwxrwx 1 root root4441 Nov 19 14:20 Makefile -rwxrwxrwx 1 root root5343 Nov 19 14:20 README -rwxrwxrwx 1 root radiusd 462 Nov 19 14:20 bootstrap -rwxrwxrwx 1 root radiusd 1288 Nov 19 14:20 ca.cnf -rwxrwxrwx 1 root root1195 Mar 17 10:49 ca.der -rwxrwxrwx 1 root root1743 Mar 17 10:49 ca.key -rwxrwxrwx 1 root root1675 Mar 17 10:49 ca.pem -rwxrwxrwx 1 root radiusd 1109 Nov 19 14:20 client.cnf -rwxrwxrwx 1 root root 466 Mar 19 15:10 dh -rwxrwxrwx 1 root root 120 Mar 17 10:49 index.txt -rwxrwxrwx 1 root root 21 Mar 17 10:49 index.txt.attr -rwxrwxrwx 1 root root 0 Mar 17 10:49 index.txt.old -rwxrwxrwx 1 root root1024 Mar 19 15:11 random -rwxrwxrwx 1 root root 3 Mar 17 10:49 serial -rwxrwxrwx 1 root root 3 Mar 17 10:49 serial.old -rwxrwxrwx 1 root radiusd 1123 Nov 19 14:20 server.cnf -rwxrwxrwx 1 root root4210 Mar 17 10:49 server.crt -rwxrwxrwx 1 root root1062 Mar 17 10:49 server.csr -rwxrwxrwx 1 root root1743 Mar 17 10:49 server.key -rwxrwxrwx 1 root root2533 Mar 17 10:49 server.p12 -rwxrwxrwx 1 root root3495 Mar 17 10:49 server.pem -rwxrwxrwx 1 root root 578 Nov 19 14:20 xpextensions chown -R radiusd:radiusd /etc/raddb chmod -R 755 /etc/raddb/certs alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Login to Cisco devices through freeradius
Buddies, I don't know if I can issue this question here, but I need your help to implement RADIUS solution... I think that my objective is quite simple in comparison with RADIUS most variables purposes. I must login to my network devices through RADIUS server, centralizing this management process. After installing freeradius, I couldn't start it. Checking radius.log I saw the following errors: Wed Mar 18 15:31:28 2009 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied Wed Mar 18 15:31:28 2009 : Error: rlm_eap_tls: Error reading Trusted root CA list /etc/raddb/certs/ca.pem Wed Mar 18 15:31:28 2009 : Error: rlm_eap: Failed to initialize type tls Wed Mar 18 15:31:28 2009 : Error: /etc/raddb/eap.conf[17]: Instantiation failed for module eap Wed Mar 18 15:31:28 2009 : Error: /etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module eap. Wed Mar 18 15:31:28 2009 : Error: /etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. Wed Mar 18 15:31:28 2009 : Error: Errors initializing modules I'm completely lost about the solution and I wasn't able to find any how to on the web. I appreciate any help, thanks in advance. Bruno - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
I issued chmod 777 * in every directory related to freeradius. There is no freeradius user in users command output! No success until now... tks! Bruno 2009/3/19 t...@kalik.net After installing freeradius, I couldn't start it. Checking radius.log I saw the following errors: Wed Mar 18 15:31:28 2009 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied Wed Mar 18 15:31:28 2009 : Error: rlm_eap_tls: Error reading Trusted root CA list /etc/raddb/certs/ca.pem There is nothing misterious about these messages. User freeradius runs under doesn't have permission to open certificate files. Check permissions on the file directory mentioned in the debug. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html