(no subject)
Nicolas Baradakis wrote: libssl.so.0.9.7 = /usr/lib/libssl.so.0.9.7 (0x40145000) ^^ This has nothing to do with your problem, but can you please indicate whether you're using a binary package from Suse? If that's the case, Suse is distributing software with incompatible licenses linked together. I think maybe they are violating either the GPL or the OpenSSL license. The file was rlm_exec so file was timestamped 11-01-05 and I know I haven't built anything from source for a long time on that box, so would have to think it was a binary package unless somehow the SuSE update pulls and compiles source on my behalf...I don't think so. Landon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OS Update broke FR - rlm_exec-1.0.0.so not found
Hi FR community, I've been running FR on an updated (recently fully patched apps) SuSE 9.2 (kernel 2.6.8-24-default) I was successfully running an earlier version of FR and when I decided to do an update of FR through SuSE's online update, FR will no longer come up and fails with a dynamic link error: radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius radiusd.conf[1367] Failed to link to module 'rlm_exec': /usr/lib/ freeradius/rlm_exec-1.0.0.so: cannot open shared object file: No such file or directory radius2:/home/lcox # ls /usr/lib/freeradius/rlm_exec-1* /usr/lib/freeradius/rlm_exec-1.0.0.la /usr/lib/freeradius/ rlm_exec-1.0.0.so As you can see, my /usr/lib/freeradius directory does have the .so file, but I can't tell from the output if rlm_exec is dependent upon some other file that is not found or the dynamic linker can't find rlm_exec-1.0.0.so. So, that's one question - what is not being found? Sounds obvious, except that I have the exact .so filename in the library search path. SuSE Yast claims it has installed FR 1.0.0-5.6. A radiusd -v produces: radiusd: FreeRADIUS Version 1.0.0, for host , built on May 30 2005 at 21:02:41 Copyright (C) 2000-2003 The FreeRADIUS server project. I've seen numerous references to this exact linkage error on various freeradius lists as well as have seen it on lists for various architectures and *nix's, not just x86/SuSE Linux. However, there is typically no response given to fix the problem except to rebuild FR with no shared libraries and even in those cases, the build often seems to break later leaving the admin stuck further down the line. Is there a known solution to what seems like a relatively common problem of rlm_exec dynamic linkage issues? What am I missing and what needs to be done to cause this to work with the shared .so lib file vs having to rebuild it with static libs? Thanks in advance for any help or direction. Landon (Full text of -X output follows) radius2:/home/lcox # /usr/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius radiusd.conf[1367] Failed to link to module 'rlm_exec': /usr/lib/ freeradius/rlm_exec-1.0.0.so: cannot open shared object file: No such file or directory radius2:/home/lcox # ls /usr/lib/freeradius/rlm_exec-1* /usr/lib/freeradius/rlm_exec-1.0.0.la /usr/lib/freeradius/ rlm_exec-1.0.0.so - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OS Update broke FR - rlm_exec-1.0.0.so not found
Thanks, Alan. FYI - more research on the topic, I did an ldd on the rlm_exec file: On a freeradius box I have which is working, I did: radius1:/usr/lib/freeradius # ldd rlm_exec-1.0.0.so linux-gate.so.1 = (0xe000) libnsl.so.1 = /lib/libnsl.so.1 (0x40018000) libresolv.so.2 = /lib/libresolv.so.2 (0x4002f000) libpthread.so.0 = /lib/tls/libpthread.so.0 (0x40042000) libcrypto.so.0.9.7 = /usr/lib/libcrypto.so.0.9.7 (0x40054000) libssl.so.0.9.7 = /usr/lib/libssl.so.0.9.7 (0x40145000) libc.so.6 = /lib/tls/libc.so.6 (0x40175000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) libdl.so.2 = /lib/libdl.so.2 (0x4028b000) Then on the radius box I updated and broke I did: radius2:/usr/lib/freeradius # ldd rlm_exec-1.0.0.so linux-gate.so.1 = (0xe000) libnsl.so.1 = /lib/libnsl.so.1 (0x55577000) libresolv.so.2 = /lib/libresolv.so.2 (0x5558e000) libpthread.so.0 = /lib/tls/libpthread.so.0 (0x555a1000) libcrypto.so.0.9.7 = /usr/lib/libcrypto.so.0.9.7 (0x555b3000) libssl.so.0.9.7 = /usr/lib/libssl.so.0.9.7 (0x556a4000) libc.so.6 = /lib/tls/libc.so.6 (0x556d4000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x56555000) libdl.so.2 = /lib/libdl.so.2 (0x557ea000) I hunted down and verified that every library that was pointed to by rlm_exec indeed existed on the file system. On both systems, they had everything except both had no linux-gate.so.1. But then radius1 works fine and it shows the same paths and library existence as the radius2 box which fails. Also, googling linux-gate.so.1 I saw: What is linux-gate.so.1?: http://www.trilithium.com/johan/2005/08/ linux-gate/ and http://kerneltrap.org/node/3405 The first link explains that an ldd report of linux-gate.so.1 that doesn't point to a file/path is normal in recent kernels and goes into detail of what it is. In any case, it's not a problem. After verifying that every library that is pointed to by rlm_exec-1.0.0.so actually exists on both the machine that works fine and the one that doesn't, I understand a little more but don't see what the problem is. There's something else bizarre going on...or perhaps I still need to run ldd on each of the dependent libraries - maybe there's one in that tree of dependencies that's missing. I'll also try going to 1.0.5. Thanks, Landon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius EAP-TLS
On Aug 25, 2005, at 10:34 AM, Hamid Salim wrote: I have a 2 part question. 1.I recall reading on this forum that, Windows XP broke EAP-TLS, does this apply to SP2 also? I've had XP SP2 EAP-TLS clients running against FR with no problems. Also, for what it's worth, I've built XP Embedded configurations (XP for embedded devices, booting compact flash), that run SP2 and work fine with FR as well. Landon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Example of Mac OS X EAP-TLS process?
I've got a good, working FreeRadius running EAP-TLS on a SuSE 9.2 box. I've had good luck with WPA supplicants for XP SP2 and several vendor PCMCIA card supplicants - all on XP SP2. I've been trying to get an OS X (Tiger) machine up with the same type of setup, but each time I set the 802.1x TLS check box, I always get an error stating that there is no valid certificate available on the machine. I've imported both the client and root CA certs into the Mac OS X Keychain (the root CA imported into X509 anchors category and the client cert into 'logins'.) I've generated the Mac client cert in the same way as I do the XP client cert except without the xpextensions ASN.1 options on openSSL. I realize this isn't a FreeRadius question per-se but was hoping that someone else in FR land has done an 802.1x EAP-TLS setup on OS X w/FR and had success. Thank you, Landon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP won't authenticate with EAP TLS - log shows unknown_ca fatal error
On Aug 8, 2005, at 9:39 AM, Landon Cox wrote: I'm going to do some experiments later tonight and see if I can isolate the success factor. Back on this topic for a moment...some things I tried to see if I could break the configuration were: 1) remove the certs from the /etc/ssl/certs directory, restart FR, no difference - still hooked up fine since the certs are also in raddb/certs. I decided to generate a client cert for a Mac box and when I imported it into the Keychain of OS X, I noticed This certificate is not yet valid. I went back and looked at the output of the certificate generation and the validity Not Before gave a date/time stamp that was 1 hour future (my timezone setting was off by one hour.) But this made me wonderwas the unknown_ca problem caused by the CA cert having a Not Valid Before validity that was in the future from the real time when it was generated and then initially tested? Is this a possible cause for an unknown_ca error? Landon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP won't authenticate with EAP TLS - log shows unknown_ca fatal error
On Aug 8, 2005, at 9:18 AM, Kris Benson wrote: Did you do anything differently with your 'random' file and your 'dh' file? Creating those properly (as opposed to the idiotic directions of date dh; date random) seemed to solve my dilemma when I was getting a similar issue to what you were getting. Hi Kris, No, both dh and random stayed as initially generated. I used the Bauer Linux journal article to do that step which used the /dev/ urandom method vs date. I'm going to do some experiments later tonight and see if I can isolate the success factor. Thanks, Landon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP won't authenticate with EAP TLS - log shows unknown_ca fatal error
Thanks for looking at this, Michael. I decided to restart the certificate generation process and did it again from scratch following the article. Same results. I did it a 3rd time and but this time copied the certs to /etc/ssl/ certs and insured all CNs were unique (not being completely up on what is right or wrong w/r to input values for the cert process or what directories the new certs needed to live in, I wanted to make sure that wasn't an issue.) So, one of those actions did the trick and I haven't gone back to isolate which one. After that I was able to login - authenticated in both directions, too. I did go ahead and do the pkcs export password and that worked fine. I'm not sure what Bauer's comment was referring to in the article about XP supplicants only working with non-pw protected certs in the store. Oh well, it's up and working and I'm grateful. Thank you, Landon On Aug 5, 2005, at 4:30 PM, Michael Wang wrote: Hi Landon, I think this piece from the log is suspicious: rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: TLS 1.0 Handshake [length 02ab], Certificate -- verify error:num=18:self signed certificate chain-depth=0, error=18 -- User-Name = 360VL -- BUF-Name = 360VL -- subject = /C=US/ST=Colorado/L=Colorado Springs/O=360VL Incorporated/CN=360VL/emailAddress=emailwithheld -- issuer = /C=US/ST=Colorado/L=Colorado Springs/O=360VL Incorporated/CN=360VL/emailAddress=emailwithheld -- verify return:0 rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. I think the problem is the user certificate that you imported into XP is self-signed. What you need to do is use openssl to create a certificate request (using openssl req ...) and then sign that request using the CA (using openssl ca). Then package up the user key and signed user cert into the pkcs#12 envelope (using openssl pkcs12). Finally import into XP. I looked at the instructions for certificate generation in the linux format article and they look OK. Make sure you did not miss a step or use the wrong command somewhere. As to using a password for the pkcs#12 envelope, go ahead and use it. When you import the pkcs#12 file into XP, it will just ask for it, and you enter it, and that should be it. Hope that helps. Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
