Re: Compiling without OpenSSL
On 9 Jul 2013, at 13:10, Rahul Godbole wrote: > Hi > > I cross compile Freeradius 2.1.9 for my embedded device. So far we have been > compiling it with OpenSSL and everything works fine. However, I now want to > compile it without OpenSSL. Can you tell me hat option I should pass to the > configure script for this? --without-openssl Could we see all the configure arguments pretty please? > > I tried using --with-openssl=no and --without-openssl. However, both do not > seem to work because I see an error during config that these are unrecognised > options. Works for me with current 2.2.x HEAD Check Make.inc You should see: OPENSSL_LIBS= OPENSSL_INCLUDE = -DNO_OPENSSL > Also, I am trying to use CyaSSL ( cyassl.org ) instead of OpenSSL. yassl.org Cyassl is the name of the C library. > Is there are ready config option for using CyaSSL. No. The server has no explicit support for CyaSSL. They claim to have an OpenSSL compatibility layer, you should be able to use it by specifying: --with-openssl-includes=DIR Directory to look for OpenSSL include files --with-openssl-libraries=DIR Directory to look for OpenSSL library files -Arran Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling without OpenSSL
Hi I cross compile Freeradius 2.1.9 for my embedded device. So far we have been compiling it with OpenSSL and everything works fine. However, I now want to compile it without OpenSSL. Can you tell me hat option I should pass to the configure script for this? I tried using --with-openssl=no and --without-openssl. However, both do not seem to work because I see an error during config that these are unrecognised options. Also, I am trying to use CyaSSL ( cyassl.org ) instead of OpenSSL. Is there are ready config option for using CyaSSL. I see somewhere on the internet that --with-cyassl should work but it does not work for me. Thanks Rahul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault when linking 2.2.0 against openSSL 1.0.1c
On 17 Sep 2012, at 10:34, Stefan Winter wrote: > Hi, > >>>> --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl > >>> Are you sure? The "openssl SEGV" problem is almost always because you >>> have two versions of OpenSSL installed. >>> >>> What is likely happening is that the compile stage is picking up the >>> system-supplied OpenSSL include files. The way to test this is to >>> rename / move them, do the build, and then the install. >>> >>> If it now works, it was picking up OpenSSL X, and linking against >>> OpenSSL Y. >> >> Hm, okay... will do. > > That was it indeed. Had to change the include path above to > --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include > > because configure adds the openssl/ sub-path on its own. Now it works > like a charm (as usual :-) ). > > Thanks! Also you have a typo in your config, should be "earli", assuming the Reply-Message is meant to be read with a piratey accent. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault when linking 2.2.0 against openSSL 1.0.1c
Hi, >>> --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl >> Are you sure? The "openssl SEGV" problem is almost always because you >> have two versions of OpenSSL installed. >> >> What is likely happening is that the compile stage is picking up the >> system-supplied OpenSSL include files. The way to test this is to >> rename / move them, do the build, and then the install. >> >> If it now works, it was picking up OpenSSL X, and linking against >> OpenSSL Y. > > Hm, okay... will do. That was it indeed. Had to change the include path above to --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include because configure adds the openssl/ sub-path on its own. Now it works like a charm (as usual :-) ). Thanks! Stefan > > Stefan > >> >> Alan DeKok. >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault when linking 2.2.0 against openSSL 1.0.1c
Hi, >> Today, I compiled with >> >> --with-openssl >> --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl >> >> --with-openssl-libraries=/usr/local/freeradius/openssl-1.0.1c/lib >> >> the path is in ld.so.conf, and ldd shows that linking against this new >> version works. > > Are you sure? The "openssl SEGV" problem is almost always because you > have two versions of OpenSSL installed. > > What is likely happening is that the compile stage is picking up the > system-supplied OpenSSL include files. The way to test this is to > rename / move them, do the build, and then the install. > > If it now works, it was picking up OpenSSL X, and linking against > OpenSSL Y. Hm, okay... will do. Stefan > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault when linking 2.2.0 against openSSL 1.0.1c
Stefan Winter wrote: > until today, I have been running FreeRADIUS 2.2.0 successfully with a > system-supplied openSSL. > > Today, I compiled with > > --with-openssl > --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl > > --with-openssl-libraries=/usr/local/freeradius/openssl-1.0.1c/lib > > the path is in ld.so.conf, and ldd shows that linking against this new > version works. Are you sure? The "openssl SEGV" problem is almost always because you have two versions of OpenSSL installed. What is likely happening is that the compile stage is picking up the system-supplied OpenSSL include files. The way to test this is to rename / move them, do the build, and then the install. If it now works, it was picking up OpenSSL X, and linking against OpenSSL Y. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault when linking 2.2.0 against openSSL 1.0.1c
Hi, until today, I have been running FreeRADIUS 2.2.0 successfully with a system-supplied openSSL. Today, I compiled with --with-openssl --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl --with-openssl-libraries=/usr/local/freeradius/openssl-1.0.1c/lib the path is in ld.so.conf, and ldd shows that linking against this new version works. However, when running PEAP on this version, I get a segmentation fault now: [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept User-Name = "test.edur...@education.lu" Reply-Message = "What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam." Reply-Message = "What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam." Reply-Message = "What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam." Reply-Message = "What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam." Reply-Message = "What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam." Reply-Message = "What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam." Reply-Message = "What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam." Reply-Message = "What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam." Reply-Message = "What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam." Reply-Message = "What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam." Segmentation fault The repetition of that attribute is NOT an error; it's there to inflate the packet beyond 1500 bytes to trigger UDP fragmentation (this is our Nagios testing). In 2.2.0 against the old openSSL version, everything works fine - Access-Accept. Any hints? Greetings, Stefan winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with EAP-TLS and OpenSSL
Houston-III, Lester L wrote: > The rlm_eap_tls was built and I think it was installed, but I'm still getting > the following errors when running the server. The last line is probably > shown because the tls section of eap.conf is ignored, but I'm not sure why > I'm getting the other lines when I run configure and it states that OpenSSL > is supported. > > Ignoring EAP-Type/tls because we do not have OpenSSL support. > Ignoring EAP-Type/ttls because we do not have OpenSSL support. > rlm_eap: No EAP type configured, module cannot do anything. The EAP module needs to be built with OpenSSL support. If you've re-built only rlm_eap_tls, then that isn't good enough. The simplest way to fix this is to *delete* your existing installation. Then re-build and re-install. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Issues with EAP-TLS and OpenSSL
The rlm_eap_tls was built and I think it was installed, but I'm still getting the following errors when running the server. The last line is probably shown because the tls section of eap.conf is ignored, but I'm not sure why I'm getting the other lines when I run configure and it states that OpenSSL is supported. Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. rlm_eap: No EAP type configured, module cannot do anything. -Original Message- From: freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org [mailto:freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, November 15, 2011 11:44 AM To: FreeRadius users mailing list Subject: Re: Issues with EAP-TLS and OpenSSL Houston-III, Lester L wrote: > I finally got FR to recognize the openssl install. Not sure what I did to > fix it, but I installed some additional packages that required openssl such > as Kerberos and that seemed to fix things. For the record, installing Kerberos won't fix OpenSSL issues. Something else happened. The configure log will show it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with EAP-TLS and OpenSSL
Houston-III, Lester L wrote: > I finally got FR to recognize the openssl install. Not sure what I did to > fix it, but I installed some additional packages that required openssl such > as Kerberos and that seemed to fix things. For the record, installing Kerberos won't fix OpenSSL issues. Something else happened. The configure log will show it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Issues with EAP-TLS and OpenSSL
I finally got FR to recognize the openssl install. Not sure what I did to fix it, but I installed some additional packages that required openssl such as Kerberos and that seemed to fix things. -Original Message- From: freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org [mailto:freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, November 15, 2011 3:25 AM To: FreeRadius users mailing list Subject: Re: Issues with EAP-TLS and OpenSSL Houston-III, Lester L wrote: > I’m trying to configure my FreeRADIUS server to support EAP-TLS but it > keeps reporting that there is no OpenSSL support. You need to install the openssl-dev package. It includes the OpenSSL header files. This is probably on the Wiki, under "building it yourself". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Issues with EAP-TLS and OpenSSL
I have installed the openssl-dev package, but FR stills thinks openssl is not installed. > You need to install the openssl-dev package. It includes the OpenSSL >header files. > > This is probably on the Wiki, under "building it yourself". > > Alan DeKok. >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with EAP-TLS and OpenSSL
Houston-III, Lester L wrote: > I’m trying to configure my FreeRADIUS server to support EAP-TLS but it > keeps reporting that there is no OpenSSL support. You need to install the openssl-dev package. It includes the OpenSSL header files. This is probably on the Wiki, under "building it yourself". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Issues with EAP-TLS and OpenSSL
I'm trying to configure my FreeRADIUS server to support EAP-TLS but it keeps reporting that there is no OpenSSL support. I'm currently using FreeRADIUS version 2.1.12 on Centos 6. I built the server from source because I needed to include the JRADIUS plugin. I have been able to get things working with the JRADIUS and PAP, but now I'm trying to use EAP-TLS. I have already installed OpenSSL core, static and development packages using yum. Issuing the configure commands always results in a statement that OpenSSL is not supported, (Checking for OpenSSL support .. no) What I'm I missing? Does another package needs to be installed? Lester Houston 111 Boeing Research & Technology Electronics Prototyping and Integration Center (EPIC) lester.l.houston-...@boeing.com 314-234-0621 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Openssl Private Key error
Hi, I had generated certificates for EAP-TLS authentication. It worked fine in a linux setup but windows wouldn't play ball. Somebody pointed out that the CA.* scripts in the ssl directory can generate windows compatible certs. I did that but when I try to use that I get the following error regarding the private key I use during the eap handshake at the supplicant end (taken from the logs of wpa_supplicant). == OpenSSL: tls_connection_client_cert - SSL_use_certificate_file (DER) failed error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:140C800D:SSL routines:SSL_use_certificate_file:ASN1 lib OpenSSL: SSL_use_certificate_file (PEM) --> OK OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER) failed error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (PEM) failed error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm OpenSSL: pending error: error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error OpenSSL: pending error: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error OpenSSL: pending error: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib OpenSSL: pending error: error:140CB009:SSL routines:SSL_use_PrivateKey_file:PEM lib OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: Failed to load private key TLS: Failed to load private key '/home/user/supplicant_testing/eap_authenticator_test/last_cert/newkey.pem' == I use wpa_supplicant (0.7.1) in the supplicant end. Can somebody plz give me some pointers on how to get over this problem. Is there any specific ssl command or openssl configuration at the supplicant end that I need to take care of... -- View this message in context: http://freeradius.1045715.n5.nabble.com/Openssl-Private-Key-error-tp4704998p4704998.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS compatibility with OpenSSL
Nitin Bhardwaj wrote: > FreeRADIUS crashes with a segmentation fault when running with > openssl-1.0.0, while handling PEAP tunnel. > (Both ver 2.x as well as 3.0.0), However it works fine with openssl 0.9.8x > > My question is - what version of openssl is FreeRADIUS compatible with > to build and link ? All versions of OpenSSL. *However* if you install multiple versions of OpenSSL, then the server can be built using headers from version X, and at run-time link to the library for version Y. It *will* crash. In short: Install ONE version of OpenSSL. Only one. If you insist on installing two, figure out the makefile / ld-config magic to force the server to build && link to only one version of OpenSSL. This isn't a RADIUS problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS compatibility with OpenSSL
Hi, FreeRADIUS crashes with a segmentation fault when running with openssl-1.0.0, while handling PEAP tunnel. (Both ver 2.x as well as 3.0.0), However it works fine with openssl 0.9.8x My question is - what version of openssl is FreeRADIUS compatible with to build and link ? -- Thanks, Nitin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Rejects and openSSL Problems (new install)
twobacons wrote: > 2. I see this error posted a quite often on the forums, but I can't get it > to go away: > > rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support. > rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support. > rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL support. > > I've reinstalled debian and ran "apt-get install libssl-dev" before > installing freeradius. It seems like the openssl lib is not being read... > any help will be greatly appreciated! You are running an old version of the package. Upgrade to 2.1.10. Or, re-build the server from source. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Rejects and openSSL Problems (new install)
never mind about the first problem. I restarted the rad service and it magically started working... -- View this message in context: http://freeradius.1045715.n5.nabble.com/Access-Rejects-and-openSSL-Problems-new-install-tp4259009p4259024.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access Rejects and openSSL Problems (new install)
I just installed FreeRADIUS on Debian. However, I'm running into a couple
problems.
1. I can't get localhost RADIUS test to work. The users file is almost at
its default state except for the new user/pass I created:
user1 Cleartext-Password := "password1"
I keep getting access-rejects when testing user1/password1 on localhost,
this is the debug:
rad_recv: Access-Request packet from host 127.0.0.1 port 53121, id=109,
length=57
User-Name = "user1"
User-Password = "password1"
NAS-IP-Address = 10.1.90.150
NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [user1/password1] (from client localhost port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> user1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 109 to 127.0.0.1 port 53121
Any idea how to fix the bold part of the debug?
2. I see this error posted a quite often on the forums, but I can't get it
to go away:
rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support.
rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support.
rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL support.
I've reinstalled debian and ran "apt-get install libssl-dev" before
installing freeradius. It seems like the openssl lib is not being read...
any help will be greatly appreciated!
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Access-Rejects-and-openSSL-Problems-new-install-tp4259009p4259009.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Radius Problem EAP/TTLS Openssl support issue
Amrita Mandpe wrote: > Ignoring EAP-Type/tls because we do not have OpenSSL support. > Ignoring EAP-Type/ttls because we do not have OpenSSL support. > Ignoring EAP-Type/peap because we do not have OpenSSL support. You've built the server yourself, without using OpenSSL. > I tried to install the patch available for OpenSSL, but the error > still persists. I have no idea what that means. What "patch"? And no patch should be necessary. > Also, i tried to run the rlm_eap_ttls.c file but the error i get is -- It would help to use the correct terminology. Otherwise, the process to *solve* the problem will be unclear. > It would be great if you can help me get through this issue. Install the "libssl-dev" package from Ubuntu, then re-build. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fw: Radius Problem EAP/TTLS Openssl support issue
Hi Alan,
Im new to freeRADIUS, trying to implement it for my test machine running
currently on Ubuntu 9.04 Server.Im trying to establish a communication between
Windows XP,SP3 client and RADIUS SERVER ( on Ubuntu Server) through EAP/TLS and
cerrtificates.
The problem i m facing is, when i run the server in debug mode it gives me this
warning -
--
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Ignoring EAP-Type/tls because we do not have OpenSSL support.
Ignoring EAP-Type/ttls because we do not have OpenSSL support.
Ignoring EAP-Type/peap because we do not have OpenSSL support.
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
I tried to install the patch available for OpenSSL, but the error still
persists.
Also, i tried to run the rlm_eap_ttls.c file but the error i get is --
root@ubuntu:/etc/freeradius-2.1.9+dfsg/src/modules/rlm_eap/types/rlm_eap_ttls#
./configure
checking for OpenSSL support... no
configure: WARNING: silently not building rlm_eap_ttls.
configure: WARNING: FAILURE: rlm_eap_ttls requires: OpenSSL.
configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
config.status: config.h is unchanged
It would be great if you can help me get through this issue.
Regards,
Amrita
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issue installing FreeRadius with openSSL support on a CentOS Sever
On 12/06/2010 05:00 PM, Hanavan, John (John) wrote: Hi All, We have been trying to install FreeRadius with openSSL support on to a CentOS Sever without much success. The version of FreeRadius and CentOS are listed below. http://wiki.freeradius.org/Red_Hat_FAQ Explains how to build on Red Hat systems. You might be able to take the Fedora 2.1.10 SRPM and build it on RHEL 5.3, or you should read the section "Install all necessary build requirements" -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: link FR 2.1.10 with openssl 1.0.0a
Panagiotis Georgopoulos wrote: > Everything seems to went well, but how can I be 100% sure that that FR > is properly linked and using libraries from my manual openssl > installation and is not using ubuntu’s one? See the documentation for the dynamic linker (ld) on your system. > How can I achieve that? Use the right configure options to point the FreeRADIUS build to the directory where you installed OpenSSL 1.0.0. See "configure --help", and "CFLAGS" and "LDFLAGS" in the Makefiles. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
link FR 2.1.10 with openssl 1.0.0a
Hello everyone, I am running ubuntu 10.04 that comes with openssl 0.9.8k. I wanted to upgrade openssl to 1.0.0a, but I have to do this manually as my OS does not have openssl 1.0.0a in its repository. So I downloaded, build and installed openssl 1.0.0a from source to /usr/local/ssl and I recompiled FR 2.1.10 with the -with-openssl=/usr/local/ssl/ option. Everything seems to went well, but how can I be 100% sure that that FR is properly linked and using libraries from my manual openssl installation and is not using ubuntu's one? Unfortunately, if I run openssl version in bash I get 0.9.8k which is ubuntu's version and my /usr/lib/libcrypto and libssl links point to libcrypto.so.0.9.8 and libssl.so.0.9.8 respectively. I don't mind if ubuntu is using 0.9.8k openssl (although a cleaner solution would have been nicer) but I do want FR to be using openssl 1.0.0a. How can I achieve that? Thanks in advance, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring EAP-Type/tls because we do not have OpenSSL,> support.
Hi, > > The messages keep appearing > > Ignoring EAP-Type/tls because we do not have OpenSSL support. > > Ignoring EAP-Type/ttls because we do not have OpenSSL support. > > Ignoring EAP-Type/peap because we do not have OpenSSL support. I'm not sure which bit of this isnt clear enough? the FreeRADIUS daemon was not built with OpenSSL support - which means that when the ./configure stage was done, either the required libraries werent present or it was configured with eg --disable-openssl or such. (cant recall the flag off-hand 'cos I've never built it in that way). if you've installed eg ssl-dev package AFTER the configure and/or install then thigns wont be magically working! you must go through the whole configure stage WITH the right libraries installed. thats the runtime OpenSSL stuff AND the development (headers/includes) for OpenSSL alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring EAP-Type/tls because we do not have OpenSSL,> support.
David Mitchell wrote: > Douglas Caro wrote: > >> # freeradius -v >> freeradius: FreeRADIUS Version 2.1.9, for host i486-pc-linux-gnu, built >> on Sep 13 2010 at 09:40:57 >> Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. > > It seems suspicious to me that your freeradius is reporting a build date > of today. Unless the .deb installation causes this date to up updated, > it implies that you built this binary locally. I have to be honest, even > though I run Debian a lot I usually compile FreeRadius myself so I'm not > that familiar with the packaged version. You tried Alexander's tips, not mine. You built your own binary, and if you didn't get TLS support you will have to debug the configure/make process yourself. The 2.1.8 version in the Lenny backports has TLS support built in. I'm 100% certain of this because I just installed it and checked. -David Mitchell > > -David Mitchell > >> The messages keep appearing >> Ignoring EAP-Type/tls because we do not have OpenSSL support. >> Ignoring EAP-Type/ttls because we do not have OpenSSL support. >> Ignoring EAP-Type/peap because we do not have OpenSSL support. >> >> Thanks >> Douglas >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring EAP-Type/tls because we do not have OpenSSL,> support.
Douglas Caro wrote: > > # freeradius -v > freeradius: FreeRADIUS Version 2.1.9, for host i486-pc-linux-gnu, built > on Sep 13 2010 at 09:40:57 > Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. It seems suspicious to me that your freeradius is reporting a build date of today. Unless the .deb installation causes this date to up updated, it implies that you built this binary locally. I have to be honest, even though I run Debian a lot I usually compile FreeRadius myself so I'm not that familiar with the packaged version. -David Mitchell > > The messages keep appearing > Ignoring EAP-Type/tls because we do not have OpenSSL support. > Ignoring EAP-Type/ttls because we do not have OpenSSL support. > Ignoring EAP-Type/peap because we do not have OpenSSL support. > > Thanks > Douglas > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring EAP-Type/tls because we do not have OpenSSL,> support.
Douglas Caro wrote: > Hi David and Alexander... thank you, so much... > > I've tried your tips, but it didn't work... The Wiki contains instructions for building your own debian package with OpenSSL support. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring EAP-Type/tls because we do not have OpenSSL,> support.
Hi David and Alexander... thank you, so much... I've tried your tips, but it didn't work... # dpkg -l |grep freeradius ii freeradius 2.1.9+gita high-performance and highly configurable R ii freeradius-common 2.1.9+gitFreeRADIUS common files ii freeradius-dialupadmin 2.1.9+gitset of PHP scripts for administering a FreeR ii freeradius-ldap 2.1.9+gitLDAP module for FreeRADIUS server ii freeradius-utils 2.1.9+gitFreeRADIUS client utilities ii libfreeradius-dev 2.1.9+gitFreeRADIUS shared library development files ii libfreeradius2 2.1.9+gitFreeRADIUS shared library # dpkg -l |grep libssl ii libssl-dev 0.9.8g-15+lenny8 SSL development libraries, header files and ii libssl0.9.8 0.9.8g-15+lenny8 SSL shared libraries # freeradius -v freeradius: FreeRADIUS Version 2.1.9, for host i486-pc-linux-gnu, built on Sep 13 2010 at 09:40:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. The messages keep appearing Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. Thanks Douglas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring EAP-Type/tls because we do not have OpenSSL support.
Douglas Caro wrote: > > In #freeradius -X, I have those messages: > > Ignoring EAP-Type/tls because we do not have OpenSSL support. > Ignoring EAP-Type/ttls because we do not have OpenSSL support. > Ignoring EAP-Type/peap because we do not have OpenSSL support. > > I've researched on the subject, but I didn't find anything. > To be honest there is always something in the upstream version that you find is needed or resolves glitches. Get a 'v2.1.x' source as detailed at the following page: http://git.freeradius.org/ Once done, 'aptitude install build-essential fakeroot devscripts' and then type 'debuild'. It will grumble about missing dependencies which you can install, then you will find 'debuild' runs through with no problems and after a while a number of .deb's will be lurking in the parent directory. > Linux Debian Lenny > Freeradius 2.0.4 > Just move straight to 'squeeze' if this is a new box and single purposed for RADIUS 'stuff'. Cheers -- Alexander Clouter .sigmonster says: For 20 dollars, I'll give you a good fortune next time ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring EAP-Type/tls because we do not have OpenSSL support.
Sallee, Stephen (Jake) wrote: > I switched to CentOS for my FR server because my Ubuntu install was > being too picky. I was able to get it to work but I had to compile > OpenSSL from source, then the libs are in different places, etc. it was > a headache. CentOS was much easier for me, if you're not forced to use > Debian you may consider it. The current Ubuntu 10.04 LTS AKA Lucid Lynx includes 2.1.8 with OpenSSL enabled. Prior to that release, you would have had to compile from source or otherwise obtain a build with OpenSSL enabled. -David Mitchell > > Just my $.02. > > Jake Sallee > Godfather Of Bandwidth > Network Engineer > > Fone: 254-295-4658 > Phax: 254-295-4221 > > > > -Original Message- > From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org > [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o > rg] On Behalf Of John Dennis > Sent: Friday, September 10, 2010 1:57 PM > To: FreeRadius users mailing list > Cc: Douglas Caro > Subject: Re: Ignoring EAP-Type/tls because we do not have OpenSSL > support. > > On 09/10/2010 02:49 PM, Douglas Caro wrote: >> Hi, >> >> In #freeradius -X, I have those messages: >> >> Ignoring EAP-Type/tls because we do not have OpenSSL support. >> Ignoring EAP-Type/ttls because we do not have OpenSSL support. >> Ignoring EAP-Type/peap because we do not have OpenSSL support. >> >> I've researched on the subject, but I didn't find anything. >> >> Linux Debian Lenny >> Freeradius 2.0.4 > > It means it wasn't built with OpenSSL support. That used to be the case > due to licensing issues but the new deb packages include it. Try to use > a new package. I'm not a deb guy so I can't tell you where to find the > newer deb packages, but it's been discusssed on this list previously, > search the archives. > -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring EAP-Type/tls because we do not have OpenSSL support.
John Dennis wrote: > On 09/10/2010 02:49 PM, Douglas Caro wrote: >> Hi, >> >> In #freeradius -X, I have those messages: >> >> Ignoring EAP-Type/tls because we do not have OpenSSL support. >> Ignoring EAP-Type/ttls because we do not have OpenSSL support. >> Ignoring EAP-Type/peap because we do not have OpenSSL support. >> >> I've researched on the subject, but I didn't find anything. >> >> Linux Debian Lenny >> Freeradius 2.0.4 > > It means it wasn't built with OpenSSL support. That used to be the case > due to licensing issues but the new deb packages include it. Try to use > a new package. I'm not a deb guy so I can't tell you where to find the > newer deb packages, but it's been discusssed on this list previously, > search the archives. Debian Stable AKA Lenny still provides 2.0.4 with no OpenSSL. Using the backports (which is now an official Debian service) you can install the newer 2.1.8 with OpenSSL support enabled. See http://backports.debian.org/Instructions/ for instructions on configuring the backports. -David Mitchell > -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ignoring EAP-Type/tls because we do not have OpenSSL support.
I switched to CentOS for my FR server because my Ubuntu install was being too picky. I was able to get it to work but I had to compile OpenSSL from source, then the libs are in different places, etc. it was a headache. CentOS was much easier for me, if you're not forced to use Debian you may consider it. Just my $.02. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o rg] On Behalf Of John Dennis Sent: Friday, September 10, 2010 1:57 PM To: FreeRadius users mailing list Cc: Douglas Caro Subject: Re: Ignoring EAP-Type/tls because we do not have OpenSSL support. On 09/10/2010 02:49 PM, Douglas Caro wrote: > Hi, > > In #freeradius -X, I have those messages: > > Ignoring EAP-Type/tls because we do not have OpenSSL support. > Ignoring EAP-Type/ttls because we do not have OpenSSL support. > Ignoring EAP-Type/peap because we do not have OpenSSL support. > > I've researched on the subject, but I didn't find anything. > > Linux Debian Lenny > Freeradius 2.0.4 It means it wasn't built with OpenSSL support. That used to be the case due to licensing issues but the new deb packages include it. Try to use a new package. I'm not a deb guy so I can't tell you where to find the newer deb packages, but it's been discusssed on this list previously, search the archives. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring EAP-Type/tls because we do not have OpenSSL support.
On 09/10/2010 02:49 PM, Douglas Caro wrote: Hi, In #freeradius -X, I have those messages: Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. I've researched on the subject, but I didn't find anything. Linux Debian Lenny Freeradius 2.0.4 It means it wasn't built with OpenSSL support. That used to be the case due to licensing issues but the new deb packages include it. Try to use a new package. I'm not a deb guy so I can't tell you where to find the newer deb packages, but it's been discusssed on this list previously, search the archives. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ignoring EAP-Type/tls because we do not have OpenSSL support.
Hi, In #freeradius -X, I have those messages: Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. I've researched on the subject, but I didn't find anything. Linux Debian Lenny Freeradius 2.0.4 Thanks Douglas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configure PEAP on FreeRadius using openssl.
Stephane Brodeur wrote: > I am trying to configure FreeRADIUS for the PEAP authentication method. In 2.1, just install the server and start as root: "radiusd -X" > I am using the following link to set up the FreeRADIUS server: > > http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO Hmm... that's pretty old, and out of date. See my web page: http://deployingradius.com > I also would like to know if we can used something equivalent to CA.all > script and how can we modify eap.conf accordingly. Any information on > what CA.all script or any equivalent is all about would also be really > helpful. See raddb/certs/README Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configure PEAP on FreeRadius using openssl.
Hi, I am trying to configure FreeRADIUS for the PEAP authentication method. I am using the following link to set up the FreeRADIUS server: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO This documents indicates that the file radiusd.conf should include the following entry: authtype = MS-CHAP It also refers to the utilization of the CA.all script The version of FreeRADIUS running on version 5.5 does not have any entry for authtype = MS-CHAP in radiusd.conf file and does not have CA.all script. Is there anybody kind enough to tell me if it is possible that my version of FreeRADIUS, do not know how to find it, does not need the authtype = MS-CHAP entry in radiusd.conf file I also would like to know if we can used something equivalent to CA.all script and how can we modify eap.conf accordingly. Any information on what CA.all script or any equivalent is all about would also be really helpful. Thanks Stephane - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling with newest OpenSSL
Alan DeKok wrote: > David Mitchell wrote: >> I misread that page thinking that v2.1.x would just give me 2.1.9 and >> that master would be 2.1.10. Either way, I was able to get v2.1.x (aka >> 2.1.10) to configure openssl using the LIBS="-ldl" addition. I'm not >> sure what's changed in the "master" that configure seems to figure that >> out on it's own, but it might be nice to add to 2.1.10 if it's not too >> much work. > > You're probably using "--with-system-libtool". Change that to (or > add) --without-system-libtool I'll play around with those two options more the next time I compile. > >> Now I'm hitting the undefined reference to >> `lt__PROGRAM__LTX_preloaded_symbols' problem. I think I've moved past >> that by just adding >> #define lt__PROGRAM__LTX_preloaded_symbols lt_libltdl_LTX_preloaded_symbols >> to modules.c. > > That's also a libtool / libltdl issue. > >> It occurs to me. Is that libtool expecting a macro to be >> defined for _PROGRAM_ and thats why it's defining a symbol which doesn't >> actually exist? I'm just sort of thinking out loud based on your notes here: >> https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/421005 > > It's a libtool / libltdl versioning issue. Did I mention that they > cause nearly as many problems as they solve? Yeah, I think so. -David > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling with newest OpenSSL
David Mitchell wrote: > I misread that page thinking that v2.1.x would just give me 2.1.9 and > that master would be 2.1.10. Either way, I was able to get v2.1.x (aka > 2.1.10) to configure openssl using the LIBS="-ldl" addition. I'm not > sure what's changed in the "master" that configure seems to figure that > out on it's own, but it might be nice to add to 2.1.10 if it's not too > much work. You're probably using "--with-system-libtool". Change that to (or add) --without-system-libtool > Now I'm hitting the undefined reference to > `lt__PROGRAM__LTX_preloaded_symbols' problem. I think I've moved past > that by just adding > #define lt__PROGRAM__LTX_preloaded_symbols lt_libltdl_LTX_preloaded_symbols > to modules.c. That's also a libtool / libltdl issue. > It occurs to me. Is that libtool expecting a macro to be > defined for _PROGRAM_ and thats why it's defining a symbol which doesn't > actually exist? I'm just sort of thinking out loud based on your notes here: > https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/421005 It's a libtool / libltdl versioning issue. Did I mention that they cause nearly as many problems as they solve? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling with newest OpenSSL
Alan DeKok wrote: > David Mitchell wrote: >> I'm hitting some snags trying to compile from source with the newest >> OpenSSL. I have compiled Openssl 1.0.0a and installed in /usr/local/ssl >> (the default location). With FreeRadius 2.1.9 configure fails to detect >> with errors which look like something which is possibly a problem with >> my OpenSSL install. Ultimately, configure finds OpenSSL OK with the git >> version but the resulting compile fails for reasons unrelated to >> OpenSSL. > > Which "git" version are you using? Which branch? > >> I'm not sure the best way to proceed. FR 2.1.9 doesn't seem to >> like OpenSSL 1.0.0a, but the current git version seems to have a bug >> which is stopping the build. Any ideas? Thanks in advance! > > $ LIBS="-ldl" ./configure ... > > That should address the "cannot find dlopen" issues. > > It's a little annoying that the crypto libraries require dlopen(). > >> I'm OK with running the git version as this is only for use on a test >> server right now. But my compile ultimately fails with: >> > ... >> /home/mitchell/src/newest/freeradius-server/src/freeradius-devel/radiusd.h:107, >> from rlm_acctlog.c:28: >> /home/mitchell/src/newest/freeradius-server/src/freeradius-devel/smodule.h:144: >> error: expected specifier-qualifier-list before ‘RADCLIENT’ > > Ah... you're using the git "master" branch. Don't do that. > > Read http://git.freeradius.org and follow the instructions for the > "v2.1.x" branch. That page also explains why you SHOULDN'T use the > "master" branch. I misread that page thinking that v2.1.x would just give me 2.1.9 and that master would be 2.1.10. Either way, I was able to get v2.1.x (aka 2.1.10) to configure openssl using the LIBS="-ldl" addition. I'm not sure what's changed in the "master" that configure seems to figure that out on it's own, but it might be nice to add to 2.1.10 if it's not too much work. Now I'm hitting the undefined reference to `lt__PROGRAM__LTX_preloaded_symbols' problem. I think I've moved past that by just adding #define lt__PROGRAM__LTX_preloaded_symbols lt_libltdl_LTX_preloaded_symbols to modules.c. It occurs to me. Is that libtool expecting a macro to be defined for _PROGRAM_ and thats why it's defining a symbol which doesn't actually exist? I'm just sort of thinking out loud based on your notes here: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/421005 Anyway, I've got it built. I need some coffee before I install and try to run it though. Thanks for the help, -David > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling with newest OpenSSL
David Mitchell wrote: > I'm hitting some snags trying to compile from source with the newest > OpenSSL. I have compiled Openssl 1.0.0a and installed in /usr/local/ssl > (the default location). With FreeRadius 2.1.9 configure fails to detect > with errors which look like something which is possibly a problem with > my OpenSSL install. Ultimately, configure finds OpenSSL OK with the git > version but the resulting compile fails for reasons unrelated to > OpenSSL. Which "git" version are you using? Which branch? > I'm not sure the best way to proceed. FR 2.1.9 doesn't seem to > like OpenSSL 1.0.0a, but the current git version seems to have a bug > which is stopping the build. Any ideas? Thanks in advance! $ LIBS="-ldl" ./configure ... That should address the "cannot find dlopen" issues. It's a little annoying that the crypto libraries require dlopen(). > I'm OK with running the git version as this is only for use on a test > server right now. But my compile ultimately fails with: > ... > /home/mitchell/src/newest/freeradius-server/src/freeradius-devel/radiusd.h:107, > from rlm_acctlog.c:28: > /home/mitchell/src/newest/freeradius-server/src/freeradius-devel/smodule.h:144: > error: expected specifier-qualifier-list before ‘RADCLIENT’ Ah... you're using the git "master" branch. Don't do that. Read http://git.freeradius.org and follow the instructions for the "v2.1.x" branch. That page also explains why you SHOULDN'T use the "master" branch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling with newest OpenSSL
I'm hitting some snags trying to compile from source with the newest OpenSSL. I have compiled Openssl 1.0.0a and installed in /usr/local/ssl (the default location). With FreeRadius 2.1.9 configure fails to detect with errors which look like something which is possibly a problem with my OpenSSL install. Ultimately, configure finds OpenSSL OK with the git version but the resulting compile fails for reasons unrelated to OpenSSL. I'm not sure the best way to proceed. FR 2.1.9 doesn't seem to like OpenSSL 1.0.0a, but the current git version seems to have a bug which is stopping the build. Any ideas? Thanks in advance! To wit, this configure line with FR2.1.9: ./configure --with-openssl-includes=/usr/local/ssl/include/ --with-openssl-libraries=/usr/local/ssl/lib/ Fails with these results in the config.log: configure:21394: checking for DH_new in -lcrypto configure:21429: gcc -o conftest -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS conftest.c -lcrypto -L/usr/local/ssl/lib/ -lnsl -lresolv -lpthread >&5 /usr/local/ssl/lib//libcrypto.a(dso_dlfcn.o): In function `dlfcn_globallookup': dso_dlfcn.c:(.text+0x1c): undefined reference to `dlopen' dso_dlfcn.c:(.text+0x32): undefined reference to `dlsym' dso_dlfcn.c:(.text+0x3c): undefined reference to `dlclose' /usr/local/ssl/lib//libcrypto.a(dso_dlfcn.o): In function `dlfcn_pathbyaddr': dso_dlfcn.c:(.text+0x70): undefined reference to `dladdr' dso_dlfcn.c:(.text+0xc1): undefined reference to `dlerror' /usr/local/ssl/lib//libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_func': dso_dlfcn.c:(.text+0x3bd): undefined reference to `dlsym' dso_dlfcn.c:(.text+0x42e): undefined reference to `dlerror' /usr/local/ssl/lib//libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_var': dso_dlfcn.c:(.text+0x49d): undefined reference to `dlsym' dso_dlfcn.c:(.text+0x50e): undefined reference to `dlerror' /usr/local/ssl/lib//libcrypto.a(dso_dlfcn.o): In function `dlfcn_unload': dso_dlfcn.c:(.text+0x56c): undefined reference to `dlclose' /usr/local/ssl/lib//libcrypto.a(dso_dlfcn.o): In function `dlfcn_load': dso_dlfcn.c:(.text+0x615): undefined reference to `dlopen' dso_dlfcn.c:(.text+0x66d): undefined reference to `dlclose' dso_dlfcn.c:(.text+0x69c): undefined reference to `dlerror' collect2: ld returned 1 exit status But when I check the newest version of FreeRadius out from git this test passes with the exact same configure statement. So I assume something got changed in FreeRadius. configure:18454: checking for DH_new in -lcrypto configure:18489: gcc -o conftest -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS conftest.c -lcrypto -L/usr/local/ssl/lib/ -lnsl -lresolv -ldl -lpthread >&5 configure:18495: $? = 0 configure:18513: result: yes I'm OK with running the git version as this is only for use on a test server right now. But my compile ultimately fails with: libtool: compile: gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/home/mitchell/src/newest/freeradius-server/src -I/home/mitchell/src/newest/freeradius-server/libltdl -c rlm_acctlog.c -fPIC -DPIC -o .libs/rlm_acctlog.o In file included from /home/mitchell/src/newest/freeradius-server/src/freeradius-devel/radiusd.h:107, from rlm_acctlog.c:28: /home/mitchell/src/newest/freeradius-server/src/freeradius-devel/smodule.h:144: error: expected specifier-qualifier-list before ‘RADCLIENT’ -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ubuntu OpenSSL
I am going to answer my own question, yes the repository has the rlm_wimax module included and working! Thanks for all the help! David -Original Message- From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradiu s.org] On Behalf Of David Peterson Sent: Tuesday, June 15, 2010 3:34 PM To: FreeRadius users mailing list Subject: RE: Ubuntu OpenSSL Do you know if the repository includes rlm_wimax or is it still considered experimental? David -Original Message- From: Josip Rodin [mailto:j...@entuzijast.net] Sent: Tuesday, June 15, 2010 3:32 PM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: Ubuntu OpenSSL On Tue, Jun 15, 2010 at 12:49:36PM -0400, David Peterson wrote: > I know there is probably something easy I am missing but I cannot for the > life of me get FR to compile with OpenSSL for EAP-TTLS support. Are there > any how-to's on getting Ubuntu to compile OpenSSL support into FR2.1.9 You don't actually have to compile anything to get EAP-TTLS support since 2.1.8, just install the newer packages from whatever repository has 2.1.9, see http://packages.ubuntu.com/freeradius -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ubuntu OpenSSL
OK did that and now I am getting the segmentfault error I noticed on the list earlier. Anyone remember the git command to download the patch/next version or perhaps I did something really wrong? David -Original Message- From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradiu s.org] On Behalf Of Arran Cudbard-Bell Sent: Tuesday, June 15, 2010 3:13 PM To: FreeRadius users mailing list Subject: Re: Ubuntu OpenSSL On Jun 15, 2010, at 11:29 AM, David Peterson wrote: > === configuring in ./types/rlm_eap_ttls (/usr/src/freeradius-server/src/modules/rlm_eap/./types/rlm_eap_ttls) > configure: running /bin/bash ./configure '--prefix=/usr/local' '--enable-ltdl-install=no' --cache-file=/dev/null --srcdir=. > checking for OpenSSL support... yes The OpenSSL library headers are packaged as libssl-dev in ubuntu. The configure script has found the headers so remove all the freeradius libraries and binaries copied into place from your previous 'make install', make distclean, ./configure , make, make install. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ubuntu OpenSSL
Do you know if the repository includes rlm_wimax or is it still considered experimental? David -Original Message- From: Josip Rodin [mailto:j...@entuzijast.net] Sent: Tuesday, June 15, 2010 3:32 PM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: Ubuntu OpenSSL On Tue, Jun 15, 2010 at 12:49:36PM -0400, David Peterson wrote: > I know there is probably something easy I am missing but I cannot for the > life of me get FR to compile with OpenSSL for EAP-TTLS support. Are there > any how-to's on getting Ubuntu to compile OpenSSL support into FR2.1.9 You don't actually have to compile anything to get EAP-TTLS support since 2.1.8, just install the newer packages from whatever repository has 2.1.9, see http://packages.ubuntu.com/freeradius -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ubuntu OpenSSL
On Tue, Jun 15, 2010 at 12:49:36PM -0400, David Peterson wrote: > I know there is probably something easy I am missing but I cannot for the > life of me get FR to compile with OpenSSL for EAP-TTLS support. Are there > any how-to's on getting Ubuntu to compile OpenSSL support into FR2.1.9 You don't actually have to compile anything to get EAP-TTLS support since 2.1.8, just install the newer packages from whatever repository has 2.1.9, see http://packages.ubuntu.com/freeradius -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ubuntu OpenSSL
On Jun 15, 2010, at 11:29 AM, David Peterson wrote: > === configuring in ./types/rlm_eap_ttls > (/usr/src/freeradius-server/src/modules/rlm_eap/./types/rlm_eap_ttls) > configure: running /bin/bash ./configure '--prefix=/usr/local' > '--enable-ltdl-install=no' --cache-file=/dev/null --srcdir=. > checking for OpenSSL support... yes The OpenSSL library headers are packaged as libssl-dev in ubuntu. The configure script has found the headers so remove all the freeradius libraries and binaries copied into place from your previous 'make install', make distclean, ./configure , make, make install. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ubuntu OpenSSL
David Peterson wrote: > I know there is probably something easy I am missing but I cannot for > the life of me get FR to compile with OpenSSL for EAP-TTLS support. Are > there any how-to’s on getting Ubuntu to compile OpenSSL support into FR2.1.9 $ apt-get install openssl-dev $ cd freeradius-server-2.1.9 $ ./configure $ make Perhaps you could try saying what problems you're seeing. It doesn't help to say "I tried stuff and it doesn't work". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ubuntu OpenSSL
On 06/15/2010 01:20 PM, Ha, Thai wrote: If you just install 2.18 from the repository, OpenSSL works right out the box. If you must compile from source for whatever reason, I think I can help you. I was having the same issue as you yesterday, but finally managed to do it. First, make sure you have OpenSSL and libssl-dev installed. Remove any previous attempts of freeradius you installed (/usr/local/freeradius). I would also remove the folder where you extracted 2.1.9 and extract it again. When you run ./configure you must add the openssl arguments ./configure --with-openssl-includes=/usr/local/openssl/include --with-openssl-libraries=/usr/local/openssl/lib --prefix=/usr/local/freeradius Please note, I installed openssl from source and that is the directory where I installed openssl. You can pipe grep –i OpenSSL to see if there are any errors regarding OpenSSL. Now, just run make and make install like you normally do. Once done, go to /usr/local/freeradius/sbin to run radius (./radius -X). I got an error during this step complaining about not being able to find some OpenSSL libraries. You need to make a script to tell radiusd where the file is. vi run-radius #!/bin/sh -x LD_LIBRARY_PATH=/usr/local/openssl/lib LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so export LD_LIBRARY_PATH LD_PRELOAD /usr/local/freeradius/sbin/radiusd $@ Save and exit. Next, you must make the script executable. chmod u=rwx run-radius Now you can run the script and everything should work (./run-radius –X). You will always have to execute to script to run freeradius. I got most of my information from this link: http://text.dslreports.com/forum/remark,9286052~mode=flat I am new to freeradius, so if I am doing something wrong, or inefficiently, please tell me. This isn't an issue of being new to freeradius, it's an issue of understanding how Linux and Linux packaging works, but that's really a topic for a different mailing list ... The fact you need to create a script and force the LD_LIBRARY_PATH should be your clue you're not doing things correctly. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ubuntu OpenSSL
On 06/15/2010 01:20 PM, YvesDM wrote: On Tue, Jun 15, 2010 at 6:49 PM, David Peterson wrote: I know there is probably something easy I am missing but I cannot for the life of me get FR to compile with OpenSSL for EAP-TTLS support. Are there any how-to’s on getting Ubuntu to compile OpenSSL support into FR2.1.9 David Peterson Strange, I had no issues compiling it on debian. You did install the openssl package right? I'm not familar with deb packaging but normally packages are divided between runtime components and "devel" components (what's needed to build against). Installing only the openssl runtime components won't be of much use for building. I suspect you need to also install the openssl devel package. FWIW when you run configure it will output an warning message if it can't find the openssl devel components. Make sure you look for that. Also, after you install the devel components you *must* run configure again because your development environment has changed. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ubuntu OpenSSL
If you just install 2.18 from the repository, OpenSSL works right out the box. If you must compile from source for whatever reason, I think I can help you. I was having the same issue as you yesterday, but finally managed to do it. First, make sure you have OpenSSL and libssl-dev installed. Remove any previous attempts of freeradius you installed (/usr/local/freeradius). I would also remove the folder where you extracted 2.1.9 and extract it again. When you run ./configure you must add the openssl arguments ./configure --with-openssl-includes=/usr/local/openssl/include --with-openssl-libraries=/usr/local/openssl/lib --prefix=/usr/local/freeradius Please note, I installed openssl from source and that is the directory where I installed openssl. You can pipe grep -i OpenSSL to see if there are any errors regarding OpenSSL. Now, just run make and make install like you normally do. Once done, go to /usr/local/freeradius/sbin to run radius (./radius -X). I got an error during this step complaining about not being able to find some OpenSSL libraries. You need to make a script to tell radiusd where the file is. vi run-radius #!/bin/sh -x LD_LIBRARY_PATH=/usr/local/openssl/lib LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so export LD_LIBRARY_PATH LD_PRELOAD /usr/local/freeradius/sbin/radiusd $@ Save and exit. Next, you must make the script executable. chmod u=rwx run-radius Now you can run the script and everything should work (./run-radius -X). You will always have to execute to script to run freeradius. I got most of my information from this link: http://text.dslreports.com/forum/remark,9286052~mode=flat I am new to freeradius, so if I am doing something wrong, or inefficiently, please tell me. Thai Ha From: freeradius-users-bounces+thai.tro.ha=hp@lists.freeradius.org [mailto:freeradius-users-bounces+thai.tro.ha=hp@lists.freeradius.org] On Behalf Of David Peterson Sent: Tuesday, June 15, 2010 9:50 AM To: 'FreeRadius users mailing list' Subject: Ubuntu OpenSSL I know there is probably something easy I am missing but I cannot for the life of me get FR to compile with OpenSSL for EAP-TTLS support. Are there any how-to's on getting Ubuntu to compile OpenSSL support into FR2.1.9 David Peterson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ubuntu OpenSSL
On Tue, Jun 15, 2010 at 6:49 PM, David Peterson wrote: > I know there is probably something easy I am missing but I cannot for the > life of me get FR to compile with OpenSSL for EAP-TTLS support. Are there > any how-to’s on getting Ubuntu to compile OpenSSL support into FR2.1.9 > > > > David Peterson > > Strange, I had no issues compiling it on debian. You did install the openssl package right? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ubuntu OpenSSL
I know there is probably something easy I am missing but I cannot for the life of me get FR to compile with OpenSSL for EAP-TTLS support. Are there any how-to's on getting Ubuntu to compile OpenSSL support into FR2.1.9 David Peterson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + mysql + openssl certificates?
On 05/06/2010 03:17 AM, shirkavand wrote: Hi, Can i use freeradius + mysql + ssl certficates at the same time for autenticating users...or this does not make sense? I am a bit confused if i have to use one of them(mysql or ssl certificates) for autentication purposes. I have read tutorials for using freeradius + mysql OR freeradius + ssl certificates. In "freeradius + mysql" tutorial explains how to make the autentication using mysql... so the passwords and users are all stored inside a mysql db. In the other hand the freeradius + ssl certificates explains how to make the autentication using a file called "users" that stores all the users and paswords. So i am wondering if i can not make the radius server autenticate users using the credential fino from the mysql Db and using certificates too..or if each one are different methods to use. You might be confused as to when certificates are required and for what purpose. In the more common case the only certificate needed is for the radius server, user authentication occurs via per-user passwords or hashes available to the radius server via a secondary store (e.g. SQL database, flat file, or LDAP). The server certificate only used to secure the communications channel and there is no need to store a certificate in a database. However some EAP methods avoid the use of the less secure password/hash credential (what is normally stored in a database on a per user basis) and instead require a client certificate. Client certificates (e.g. a certificate is issued to each user wishing to authenticate) are more secure than password/hashes. However the requirement for distributing and maintaining client side certificates is often considered too much of a logistical burden despite the excellent security it provides. When client certificates are used it's still not necessary to store any per user certificates in the backend. Why? Because in the SSL/TLS protocol when client authentication is requested the client sends its certificate to the server which then validates the client certificate (after having also validated a client signed challenge). The primary requirement here is that CA which signed the client certificate is a trusted CA known to the radius server. The short answer is radius configurations backed by a MySQL database do not require storing per user certificates in the database. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + mysql + openssl certificates?
Hi, Can i use freeradius + mysql + ssl certficates at the same time for autenticating users...or this does not make sense? I am a bit confused if i have to use one of them(mysql or ssl certificates) for autentication purposes. I have read tutorials for using freeradius + mysql OR freeradius + ssl certificates. In "freeradius + mysql" tutorial explains how to make the autentication using mysql... so the passwords and users are all stored inside a mysql db. In the other hand the freeradius + ssl certificates explains how to make the autentication using a file called "users" that stores all the users and paswords. So i am wondering if i can not make the radius server autenticate users using the credential fino from the mysql Db and using certificates too..or if each one are different methods to use. Any ideas? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl
On Wed, May 05, 2010 at 04:43:37PM +0200, Alan DeKok wrote: > John Dennis wrote: > > I have to agree with Josip that whenever possible users should be > > directed to install pre-built packages with the advice to build it > > yourself being dispensed only with great care. > > The Wiki could be updated to make all of that clearer, too. If you gave some of us an account on the Wiki, you wouldn't have to worry about that... hint hint :) -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: thx 4 openSSL & one more question
ds14.kornel wrote: > Hi > Thanks for last advices with freeradius installations + peap on debian lenny > Now i have no problem with enabling peap :) ... > rad_recv: Access-Request packet from host 192.168.10.50 port 2054, > id=148, length=169 ... > Message-Authenticator = 0x2ea50a302a451ed3b32b748a23fe00e3 > WARNING: Empty section. Using default return values. > No authenticate method (Auth-Type) configuration found for the request: > Rejecting the user You have deleted everything from raddb/sites-enabled/ Why? That is breaking the server. Stop it. Use the default install. It's really not that hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl
John Dennis wrote: > I have to agree with Josip that whenever possible users should be > directed to install pre-built packages with the advice to build it > yourself being dispensed only with great care. The Wiki could be updated to make all of that clearer, too. > It would also help if we could converge on a stable release that's > usable for a significant duration. 2.1.x is the "long term support" version. Using "git" is making this process much easier. 2.2.0 will be the track that adds new features, like possibly RadSec, and other interesting things. > Users are told to run the latest > release, which may be only a few weeks or months old which makes it > difficult for the distribution channels for pre-built binaries to keep > up by always having the latest release available. Since it's often the > case the latest release is not available in the distribution channel > users are forced into building it themselves with all the bad results > and frustration vented here. If we had a stable release I suspect a lot > of this frustration would be mitigated. Once the distributions have a stable release with OpenSSL support, the majority of the problems should go away. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl
On 05/04/2010 06:21 PM, Josip Rodin wrote: On Tue, May 04, 2010 at 09:39:30PM +0100, Alan Buxey wrote: 3.) Install the the main FreeRADIUS package from there, for example with: apt-get install -t lenny-backports freeradius alternatively, grab the source and build it yourself. the choice is yours. No, I think that is a false choice for these users. We should not be telling random newbies to take a route that has time and time again been demonstrated to be too complicated for them to handle, when they can easily use a more efficient method - install safe working binaries. That also has the benefit of keeping them in the loop for later updates from the same reliable channel. If they explicitly tell us that they already use Debian, then we can't have much reason to have them avoid these Debian-specific methods that accomplish our goals - to make these people happy users of FR. This is one fairly trivial bug, even if one knows very little about compiling source code - one just has to google, and/or read the official web site (wiki), and find that all they have to do is install that one package and restart the build process, and they're good - yet numerous users have sent an e-mail to the list saying it's been a showstopper for them. I do not see what is there to gain by telling these people to keep using a method they clearly do not understand enough to be able to solve a relatively easy problem with. Sure, they can apply this quick fix now, but will it help their FreeRADIUS experience, and in turn will it help FreeRADIUS? Isn't it better for all to get them past the installation phase as quickly as possible, and not have to rehash these tangential issues, when time could be better spent educating them about core issues such as FreeRADIUS configuration semantics, or RADIUS protocol issues? +1 I completely agree. Building *and* installing FreeRADIUS from source requires technical skill that exceeds the technical competence of a significant proportion of the users on this list. One only needs to spend a short period here to see this is clearly the case. I have to agree with Josip that whenever possible users should be directed to install pre-built packages with the advice to build it yourself being dispensed only with great care. It would also help if we could converge on a stable release that's usable for a significant duration. Users are told to run the latest release, which may be only a few weeks or months old which makes it difficult for the distribution channels for pre-built binaries to keep up by always having the latest release available. Since it's often the case the latest release is not available in the distribution channel users are forced into building it themselves with all the bad results and frustration vented here. If we had a stable release I suspect a lot of this frustration would be mitigated. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
thx 4 openSSL & one more question
Hi
Thanks for last advices with freeradius installations + peap on debian lenny
Now i have no problem with enabling peap :)
this time I'm asking for help with some other problem:
I'm trying to enable WPA2 enterprice authentication on my accesspoints.
When trying to auth my wireless client I'm getting sth like this in log :
Wed May 5 15:09:25 2010 : Auth: Login incorrect: [karol/User-Password attribute>] (from client AP1 port 0 cli 0022431380c4)
where :
0022431380c4 is my wireless mac adress (laptop)
client AP1 is my Access Point client from clients.conf
karol - is my user from users.conf
it looks like freeradius don't want to look inside the password field
and can't recognize a laptop ip (getting mac)
Please give me some advices - what's next ?
Here is my debug.
Kill-9:/home/kornel# freeradius -X
FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 3
2010 at 15:51:52
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = yes
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = yes
dead_time = 120
wake_all_if_all_dead = no
}
radiusd: Loading Clients
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
* client 172.16.0.16 {--Client ip
adress*
require_message_authenticator = no
secret = "tajne1234"
shortname = "eee"
}
* client 192.168.10.50 {--AP ip adress*
require_message_authenticator = no
secret = "tajne1234"
shortname = "AP1"
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server {
modules {
} # modules
} # server
radiusd: Opening IP addresses and Ports
listen {
type = "auth"
ipaddr = *
port = 1812
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
*AND here is an authenticate attempt debug*
rad_recv: Access-Request packet from host 192.168.10.50 port 2054,
id=148, length=169
User-Name = "karol"
*NAS-IP-Address = 192.168.10.50 --AP
ip adress*
NAS-Port = 0
*Called-Station-Id = "00265abab28d"--AP
mac adress
Calling-Station-Id = "0022431380c4"
--Client mac adress*
NAS-Identifier = "Realtek Access Point. 8186"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020b016d617263696e
Message-Authenticator = 0x2ea50a302a451ed3b32b748a23fe00e3
WARNING: Empty section. Using default return values.
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect: [karol/] (from client AP1
port 0 cli 0022431380c4)
Delaying reject
Re: openssl
On Tue, May 04, 2010 at 09:39:30PM +0100, Alan Buxey wrote: > > 3.) Install the the main FreeRADIUS package from there, for example with: > > apt-get install -t lenny-backports freeradius > > alternatively, grab the source and build it yourself. the choice is yours. No, I think that is a false choice for these users. We should not be telling random newbies to take a route that has time and time again been demonstrated to be too complicated for them to handle, when they can easily use a more efficient method - install safe working binaries. That also has the benefit of keeping them in the loop for later updates from the same reliable channel. If they explicitly tell us that they already use Debian, then we can't have much reason to have them avoid these Debian-specific methods that accomplish our goals - to make these people happy users of FR. This is one fairly trivial bug, even if one knows very little about compiling source code - one just has to google, and/or read the official web site (wiki), and find that all they have to do is install that one package and restart the build process, and they're good - yet numerous users have sent an e-mail to the list saying it's been a showstopper for them. I do not see what is there to gain by telling these people to keep using a method they clearly do not understand enough to be able to solve a relatively easy problem with. Sure, they can apply this quick fix now, but will it help their FreeRADIUS experience, and in turn will it help FreeRADIUS? Isn't it better for all to get them past the installation phase as quickly as possible, and not have to rehash these tangential issues, when time could be better spent educating them about core issues such as FreeRADIUS configuration semantics, or RADIUS protocol issues? -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl
Hi, > > yep - the default debian install doesnt have OpenSSL support. > No, only the default build of 2.1.8 from original source on Debian lacks the > libssl-dev build-dependency. The pre-built packages are fine, and that's yes, thats what I said...look above. > 3.) Install the the main FreeRADIUS package from there, for example with: > apt-get install -t lenny-backports freeradius alternatively, grab the source and build it yourself. the choice is yours. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl
On Tue, May 04, 2010 at 07:58:03PM +0100, Alan Buxey wrote: > > rlm_eap: No such sub-type for default EAP type peap > > yep - the default debian install doesnt have OpenSSL support. > > http://wiki.freeradius.org/Build#Building_Debian_packages No, only the default build of 2.1.8 from original source on Debian lacks the libssl-dev build-dependency. The pre-built packages are fine, and that's what everyone, ESPECIALLY NEWBIES, should be using. Let me repeat the simple guide once again: 1.) Add Debian lenny-backports repository to your sources.list, for example: deb http://backports.org/debian lenny-backports main 2.) Update the package list, for example with: apt-get update 3.) Install the the main FreeRADIUS package from there, for example with: apt-get install -t lenny-backports freeradius -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl
Hi, >} > rlm_eap: No such sub-type for default EAP type peap > /etc/freeradius/eap.conf[1]: Instantiation failed for module "eap" > /etc/freeradius/sites-enabled/inner-tunnel[223]: Failed to find module "eap". > /etc/freeradius/sites-enabled/inner-tunnel[176]: Errors parsing authenticate > section. > } > } > Errors initializing modules yep - the default debian install doesnt have OpenSSL support. http://wiki.freeradius.org/Build#Building_Debian_packages alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl
Le mardi 04 mai 2010 à 19:51 +0200, ds14.kornel a écrit :
> hi
> I'm starting with linux and freeradius with peap configuration.
> I'm using debian lenny 2.6.26-2-686, when runnig freeradius -X
> (FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep 7
> 2008 at 23:35:34) i'm getting those errors
>
> Module: Instantiating eap
> eap {
> default_eap_type = "peap"
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> }
> Module: Linked to sub-module rlm_eap_md5
> Module: Instantiating eap-md5
> rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support.
> rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL
> support.
> rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL
> support.
> Module: Linked to sub-module rlm_eap_mschapv2
> Module: Instantiating eap-mschapv2
>mschapv2 {
> with_ntdomain_hack = no
>}
> rlm_eap: No such sub-type for default EAP type peap
> /etc/freeradius/eap.conf[1]: Instantiation failed for module "eap"
> /etc/freeradius/sites-enabled/inner-tunnel[223]: Failed to find module
> "eap".
> /etc/freeradius/sites-enabled/inner-tunnel[176]: Errors parsing
> authenticate section.
> }
> }
> Errors initializing modules
>
> how should i install openssl ?? only compilation by hand will work
> here ??
> Can anybody give needed advice please?
>
> Thanks a lot for help! :)
I would say you will have to install openssl developement headers and
recompile freeradius with the corrects switches to enable eap module.
sudo apt-get install libssl-dev
and then recompile with --with-rlm-eap
This is just a guess.
>
> Kornel
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Alexandre Chapellon
Mana SAS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
openssl
hi
I'm starting with linux and freeradius with peap configuration.
I'm using debian lenny 2.6.26-2-686, when runnig freeradius -X
(FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep 7
2008 at 23:35:34) i'm getting those errors
Module: Instantiating eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5*
rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support.
rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL support.
rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support.*
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
*rlm_eap: No such sub-type for default EAP type peap*
/etc/freeradius/eap.conf[1]: Instantiation failed for module "eap"
/etc/freeradius/sites-enabled/inner-tunnel[223]: Failed to find module
"eap".
/etc/freeradius/sites-enabled/inner-tunnel[176]: Errors parsing
authenticate section.
}
}
*Errors initializing modules*
how should i install openssl ?? only compilation by hand will work here ??
Can anybody give needed advice please?
Thanks a lot for help! :)
Kornel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl support
hi, you have a bootstrap script in certs directory for a sample certification, it works. bye 2010/3/17 Alan DeKok > Cesar Ortega wrote: > > OK, I tried with a native Windows XP client but it asked me for a > > certify. Why does happened? > > That's how EAP works. This is documented in FreeRADIUS and in Windows. > > > In the other hand, FreeRadius console never > > received the packet from the Windows client as Nokia did. I only want to > > do a transparent authentication to my wireless network just using the > > username and password that the client send. > > Then you need to configure EAP. There are many howtos describing how > to do this. > > > I dont want to use PEAP for that reason (certifies), so I chose gtc as > > default_eap_type in eap.conf file > > You cannot use GTC for wireless authentication. You MUST use a > certificate-based EAP method. > > This is documented in FreeRADIUS and in Windows. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl support
Cesar Ortega wrote: > OK, I tried with a native Windows XP client but it asked me for a > certify. Why does happened? That's how EAP works. This is documented in FreeRADIUS and in Windows. > In the other hand, FreeRadius console never > received the packet from the Windows client as Nokia did. I only want to > do a transparent authentication to my wireless network just using the > username and password that the client send. Then you need to configure EAP. There are many howtos describing how to do this. > I dont want to use PEAP for that reason (certifies), so I chose gtc as > default_eap_type in eap.conf file You cannot use GTC for wireless authentication. You MUST use a certificate-based EAP method. This is documented in FreeRADIUS and in Windows. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: openssl support
Thanks Alan,
OK, I tried with a native Windows XP client but it asked me for a certify. Why
does happened? In the other hand, FreeRadius console never received the packet
from the Windows client as Nokia did. I only want to do a transparent
authentication to my wireless network just using the username and password that
the client send.
I dont want to use PEAP for that reason (certifies), so I chose gtc as
default_eap_type in eap.conf file
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = gtc
What is wrong?
Cesar
> Date: Wed, 17 Mar 2010 13:48:44 -0700
> From: al...@deployingradius.com
> To: freeradius-users@lists.freeradius.org
> Subject: Re: openssl support
>
> Cesar Ortega wrote:
> > Yes, I already known that. However, for some reason FreeRadius doesn't
> > recognized that OpenSSL is already installed on my system. During the
> > compilation there wasn't any WARNING about OpenSSL.
>
> Did you read the configure / compile stages for messages about
> openssl? It's not hard. There are a lot of messages, but a simple
> "grep" should limit that to messages related to OpenSSL.
>
> Then... read the 20-30 messages about OpenSSL to see what's happening
> there.
>
> To repeat: You need to *read* the messages produced on your system.
>
> > User-Name = "h59bfGBUMZsw4BwQZ3Pz/Q=="
> ...
> > Why my username is encrypted or something like that? I don't get it... I
> > just need authenticate a AD user using clear-text password
>
> Blame the client device. Nokia, whatever. It isn't a FreeRADIUS problem.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Invite your mail contacts to join your friends list with Windows Live Spaces.
It's easy!
http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl support
On 03/17/2010 04:09 PM, Cesar Ortega wrote: Hi omegabk, Yes, I already known that. However, for some reason FreeRadius doesn't recognized that OpenSSL is already installed on my system. During the compilation there wasn't any WARNING about OpenSSL. The warning do not occur during compilation, they occur when you run configure. Once you've run configure you've fixed your compilation options. If you want to change your compilation options (e.g. because you *now* have the openssl development files installed) then you must re-run configure *before* you compile. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl support
Cesar Ortega wrote: > Yes, I already known that. However, for some reason FreeRadius doesn't > recognized that OpenSSL is already installed on my system. During the > compilation there wasn't any WARNING about OpenSSL. Did you read the configure / compile stages for messages about openssl? It's not hard. There are a lot of messages, but a simple "grep" should limit that to messages related to OpenSSL. Then... read the 20-30 messages about OpenSSL to see what's happening there. To repeat: You need to *read* the messages produced on your system. > User-Name = "h59bfGBUMZsw4BwQZ3Pz/Q==" ... > Why my username is encrypted or something like that? I don't get it... I > just need authenticate a AD user using clear-text password Blame the client device. Nokia, whatever. It isn't a FreeRADIUS problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: openssl support
Hi omegabk,
Yes, I already known that. However, for some reason FreeRadius doesn't
recognized that OpenSSL is already installed on my system. During the
compilation there wasn't any WARNING about OpenSSL. In the other hand, I just
want to do transparent authentications of the user (it does not matter if it
used clear text passwords) with my AD using a wireless LAN. As Alan Dekov said
in his How To, I am using ntlm_auth module so when I wrote in eap.conf
eap {
default_eap_type = gtc
...
with my wireless client (Nokia N900) configured like taht:
EAP Type : PEAP
EAP Method: EAP GTC (other possibility is EAP MSCHAPv2) # I am not using
certifies at all
Username: ortegaca
In the FreeRadius console I see:
Listening on authentication address * port 1645
Listening on accounting address * port 1646
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on proxy address * port 1647
Ready to process requests.
rad_recv: Access-Request packet from host 129.90.13.170 port 1645, id=223,
length=192
User-Name = "h59bfGBUMZsw4BwQZ3Pz/Q=="
Framed-MTU = 1400
Called-Station-Id = "0015.62c8.75d0"
Calling-Station-Id = "a87b.3995.468a"
Cisco-AVPair = "ssid=radiusd"
Service-Type = Login-User
Message-Authenticator = 0x125b506b554d05dcf0cd7eace1e4b8a1
EAP-Message = 0x0202001d0168353962664742554d5a7377344277515a33507a2f513d3d
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "682"
NAS-Port = 682
NAS-IP-Address = 129.90.13.170
NAS-Identifier = "ap"
+- entering group authorize {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} ->
--username=h59bfGBUMZsw4BwQZ3Pz/Q==
[ntlm_auth] expand: --password=%{User-Password} -> --password=
Exec-Program output: NT_STATUS_NO_SUCH_USER: No such user (0xc064)
Exec-Program-Wait: plaintext: NT_STATUS_NO_SUCH_USER: No such user (0xc064)
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> h59bfGBUMZsw4BwQZ3Pz/Q==
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 223 to 129.90.13.170 port 1645
Waking up in 4.9 seconds.
Why my username is encrypted or something like that? I don't get it... I just
need authenticate a AD user using clear-text password
Cesar
Date: Wed, 17 Mar 2010 14:03:57 +0100
Subject: Re: openssl support
From: omeg...@gmail.com
To: freeradius-users@lists.freeradius.org
hi,
You need to have the openssl development
packages installed. When you run configure please make sure you check for
warnings, if configure
doesn't find required libraries and headers it will emit a warning
message, but will proceed (just disabling the feature).
i fixed it doing like this
bye
2010/3/17 Cesar Ortega
Hi there guys,
Look, I have been configuring FreeRadius (2.1.8) with OpenSSL (0.9.8m)
to use ntlm_auth but it did not work at all. I installed libssl-dev (as
Alan Dekok has said before) but it stills telling me:
Ignoring EAP-Type/tls because we do not have OpenSSL support.
Ignoring EAP-Type/ttls because we do not have OpenSSL support.
Ignoring EAP-Type/peap because we do not have OpenSSL support.
Recompiling FreeRadius does not work either. I tried installing from the
sources and repositories but I could not solved the issue.
Any suggestion?
Help please...
Cesar
Connect to the next generation of MSN Messenger Get it now!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Connect to the next generation of MSN Messenger
http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl support
hi, You need to have the openssl development packages installed. When you run configure please make sure you check for warnings, if configure doesn't find required libraries and headers it will emit a warning message, but will proceed (just disabling the feature). i fixed it doing like this bye 2010/3/17 Cesar Ortega > Hi there guys, > > Look, I have been configuring FreeRadius (2.1.8) with OpenSSL (0.9.8m) > to use ntlm_auth but it did not work at all. I installed libssl-dev (as > Alan Dekok has said before) but it stills telling me: > > Ignoring EAP-Type/tls because we do not have OpenSSL support. > Ignoring EAP-Type/ttls because we do not have OpenSSL support. > Ignoring EAP-Type/peap because we do not have OpenSSL support. > > Recompiling FreeRadius does not work either. I tried installing from the > sources and repositories but I could not solved the issue. > > Any suggestion? > > Help please... > > Cesar > -- > Connect to the next generation of MSN Messenger Get it now! > <http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline> > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl support
Hi there guys, Look, I have been configuring FreeRadius (2.1.8) with OpenSSL (0.9.8m) to use ntlm_auth but it did not work at all. I installed libssl-dev (as Alan Dekok has said before) but it stills telling me: Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. Recompiling FreeRadius does not work either. I tried installing from the sources and repositories but I could not solved the issue. Any suggestion? Help please... Cesar _ Connect to the next generation of MSN Messenger http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl support
On 03/09/2010 10:20 AM, omega bk wrote: hello. radtest is ok. but i would like eap authentication. running radiusd -X Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. so how can i get openssl support? You need to have the openssl development packages installed. You've already been told this once before. I can't tell you the exact command to run since you're running on Debian and I'm not that familiar with their distribution but it's probably something like "aptget openssl-devel" When you run configure make sure you check for warnings, if configure doesn't find required libraries and headers it will emit a warning message, but will proceed (just disabling the feature). -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
openssl support
hello.
radtest is ok.
but i would like eap authentication. running radiusd -X
Ignoring EAP-Type/tls because we do not have OpenSSL support.
Ignoring EAP-Type/ttls because we do not have OpenSSL support.
Ignoring EAP-Type/peap because we do not have OpenSSL support.
so how can i get openssl support?
that is why further i got
[eap] Request found, released from the list
[eap] EAP NAK
[eap] NAK asked for unsupported type PEAP
[eap] No common EAP types found.
[eap] Failed in EAP select
#""""
here is my radiusd -X
radiusTest:/usr/local/etc/raddb# radiusd -X
FreeRADIUS Version 2.1.8, for host i686-pc-linux-gnu, built on Mar 9 2010
at 15:55:35
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file
/usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
p
Re: Debian, EAP, and the OpenSSL and GPL incompatibility
Bjørn Mork wrote: > Just noticed: ... > Add OpenSSL license exception > > commit 5ed6809aad46a999db022d9a0be417178b93dff6 > Author: Alan T. DeKok > Date: Mon Dec 21 10:49:50 2009 +0100 > > Synced with upstream debian > > > > Thanks! More to come. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian, EAP, and the OpenSSL and GPL incompatibility
Just noticed: commit 48674ba26a39620448723f5852aa30a899d515ac Author: Alan T. DeKok Date: Mon Dec 21 12:07:08 2009 +0100 Add OpenSSL license exception commit 5ed6809aad46a999db022d9a0be417178b93dff6 Author: Alan T. DeKok Date: Mon Dec 21 10:49:50 2009 +0100 Synced with upstream debian Thanks! Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian, EAP, and the OpenSSL and GPL incompatibility
Bjørn Mork wrote: > Alan DeKok posted this very promising report of the re-licensing work he > had been doing in January: > http://lists.cistron.nl/pipermail/freeradius-devel/2009-January/012726.html I've contacted a number of people. No one has objected. > If I understand Alan's post correctly, the license issue was > unintentional in the first place. If that is correct, then it is too > bad that it keeps a number of users from using the code (yes, there is > nothing preventing them from building FreeRADIUS themselves, but most > users won't do that) An alternative would be to distribute freeradius + openssl binaries from freeradius.org. Or, to re-arrange the code so that any OpenSSL dependence is re-arranged to avoid the license issue. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debian, EAP, and the OpenSSL and GPL incompatibility (was: Re: freeradius + ldap eap-ttls/pap)
Matias writes: > Thanks!. Now everything seems much clear for me. I think my problem is this: > > http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html BTW, I was looking over the Debian bug report ( http://bugs.debian.org/266229 ) regarding this issue a few days ago, just to see if there was any news. As many other Debian users, I am worrying that we may be heading for yet another stable Debian release without EAP-support in FreeRADIUS... Alan DeKok posted this very promising report of the re-licensing work he had been doing in January: http://lists.cistron.nl/pipermail/freeradius-devel/2009-January/012726.html And I was wondering: Has there been any updates wrt this? Is the bankrupt copyright owner a problem? Is there any hope getting the necessary files relicensed in time for the Debian squeeze freeze? It would certainly help Debian users a lot. If I understand Alan's post correctly, the license issue was unintentional in the first place. If that is correct, then it is too bad that it keeps a number of users from using the code (yes, there is nothing preventing them from building FreeRADIUS themselves, but most users won't do that) If there is someone not knowing the problem, then reading http://www.gnome.org/~markmc/openssl-and-the-gpl.html is recommended. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenSSL + Freeradius
Hey, Alan. This is an interesting website! Will you intend to sell that DeployingRADIUS' book soon? If yes, through which website? How can it shipping to here, Brazil? -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br (11) 3091-8902 Alan DeKok escreveu: Peter Carlstedt wrote: Now I only need to find a "know how" for configuring Freeradius so it will accept authentication from Mac and Windows machines. Can anyone of you recommend a good site? :) http://deployingradius.com Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenSSL + Freeradius
Peter Carlstedt wrote: > Now I only need to find a "know how" for configuring Freeradius so it > will accept authentication from Mac and Windows machines. Can anyone of > you recommend a good site? :) http://deployingradius.com Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OpenSSL + Freeradius
Hello everyone. I just wanted to thank you so much for your time. I found a solution without having to modify the control & rules files in the debian folder. So I got freeradius function with OpenSSL and PEAP now. Now I only need to find a "know how" for configuring Freeradius so it will accept authentication from Mac and Windows machines. Can anyone of you recommend a good site? :) Best regards/ Peter _ Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius - Openssl
Dear all; I have to remove the link that does between freeradius and openssl.. to do some tests.. Can some one tells me what is the function that I must comment in "rlm_eap_tls.c" to use the module eap_tls without openssl? thank you so much for your help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS does not "see" openssl
rosect...@yahoo.com wrote: > I have a problem with freeRADIUS version 2.1.3. > > I have openssl installed in /usr/local/ssl. T? build the freeRADIUS > server, I used this command: > ./configure --with-openssl-include=/usr/local/ssl/include > --with-openssl-libraries=/usr/local/ssl/lib > > However, the freeRADIUS just does not see the openssl and reports the > followings: > 1. configure: skipping test for openssl/ssl.h? -- why skip? Because it > was told? Go read config.log. It's big and complicated, unfortunately. > 2. Checking OpenSSL support... no > > What configuration did I miss such that the server did does not see the > openssl? Thanks. OpenSSL isn't in a standard location. Maybe your linker && compiler can't find it... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS does not "find" openssl
rosect...@yahoo.com wrote: > I have a problem with freeRADIUS version 2.1.3. > > I have openssl installed in /usr/local/ssl. To build the freeRADIUS > server, I used this command: > ./configure --with-openssl-include= > /usr/local/ssl/include−−with−openssl−libraries= /usr/local/ssl/lib > > However, the freeRADIUS just does not see the openssl and reports > this: > 1. configure: skipping test for openssl/ssl.h -- why skip? Because it > was told? > Your mail formatting is a bit weird so it's hard to tell, but it sure looks like you don't have a space between the --with-openssl-include and --with-openssl-libraries options so it's interpreting as one long string. -- John Dennis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRADIUS does not "see" openssl
I have a problem with freeRADIUS version 2.1.3. I have openssl installed in /usr/local/ssl. T? build the freeRADIUS server, I used this command: ./configure --with-openssl-include=/usr/local/ssl/include --with-openssl-libraries=/usr/local/ssl/lib However, the freeRADIUS just does not see the openssl and reports the followings: 1. configure: skipping test for openssl/ssl.h? -- why skip? Because it was told? 2. Checking OpenSSL support... no What configuration did I miss such that the server did does not see the openssl? Thanks.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRADIUS does not "find" openssl
I have a problem with freeRADIUS version 2.1.3. I have openssl installed in /usr/local/ssl. To build the freeRADIUS server, I used this command: ./configure --with-openssl-include=/usr/local/ssl/include--with-openssl-libraries=/usr/local/ssl/lib However, the freeRADIUS just does not see the openssl and reports this: 1. configure: skipping test for openssl/ssl.h -- why skip? Because it was told? 2. checking for OpenSSL support ... no What configuration did I miss such that the server did does not see the openssl? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate expired! (OpenSSL 0.9.8.b+Freeradius 1.1.3+Openldapstructure)
>Our root certificate is expired!!! We are unable to generate a VALID root >certificate. Comparison HTML view is attached. You can see certain fields >differences between them. Like; > >*Serial Number is zero ?!?! > >X509v3 Basic Constraints: * >*CA:TRUE* * (The new one is FALSE does it matter?)* >* >keyid structure is diffrent >* >First certificate is valid but it is expired! The other one is not valid. >How can I generate a *VALID certificate*??? > > Download and untar latest version. Follow instructions in /certs directory (if you are fond of antiquated versions you don't need to install the new one to use certifiacte generation). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificate expired! (OpenSSL 0.9.8.b+Freeradius 1.1.3+Openldap structure)
Hi to all, Our root certificate is expired!!! We are unable to generate a VALID root certificate. Comparison HTML view is attached. You can see certain fields differences between them. Like; *Serial Number is zero ?!?! X509v3 Basic Constraints: * *CA:TRUE* * (The new one is FALSE does it matter?)* * keyid structure is diffrent * First certificate is valid but it is expired! The other one is not valid. How can I generate a *VALID certificate*??? Text Compare Produced: 17.01.2009 20:49:25 Mode: All Left file: C:\Documents and Settings\Administrator\Desktop\cacert3.crt Right file: C:\Documents and Settings\Administrator\Desktop\cacert5.crt Certificate: = Certificate: Data: Data: Version: 3 (0x2) Version: 3 (0x2) Serial Number: <> Serial Number: 0 (0x0) d5:11:3b:f9:71:87:06:8d Signature Algorithm: sha1WithRSAEncryption = Signature Algorithm: sha1WithRSAEncryption Issuer: C=TR, ST=NA, O=Sakarya Universitesi, OU=IHSM, CN=dot1x.sakarya.edu.tr/emailaddress=i...@sakarya.edu.tr <> Issuer: C=TR, ST=NA, O=Sakarya Universitesi, CN=dot1x.sakarya.edu.tr/emailaddress=i...@sakarya.edu.tr Validity = Validity Not Before: Jan 15 21:33:14 2008 GMT <> Not Before: Jan 17 15:47:53 2009 GMT Not After : Jan 14 21:33:14 2011 GMT Not After : Jan 17 15:47:53 2012 GMT Subject: C=TR, ST=NA, O=Sakarya Universitesi, OU=IHSM, CN=dot1x.sakarya.edu.tr/emailaddress=i...@sakarya.edu.tr Subject: C=TR, ST=NA, O=Sakarya Universitesi, CN=dot1x.sakarya.edu.tr/emailaddress=i...@sakarya.edu.tr Subject Public Key Info: = Subject Public Key Info: Public Key Algorithm: rsaEncryption Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) RSA Public Key: (1024 bit) Modulus (1024 bit): Modulus (1024 bit): 00:da:26:ee:e1:f0:41:8f:03:04:57:79:c9:ad:26: <> 00:c5:47:41:78:f6:ed:0b:47:58:4b:4e:54:1c:c8: bf:96:da:e3:1e:92:6d:96:ca:aa:3e:5d:92:64:2a: f9:fa:3a:1c:f5:bb:29:9c:3e:1c:75:81:2b:d7:08: 61:85:c4:8a:f2:3e:d8:b6:ec:59:59:90:1f:bf:d6: de:68:53:ba:37:5c:64:aa:d4:13:21:f1:7e:e3:bb: 13:90:2c:49:dd:6c:ff:a2:ef:c1:80:91:6e:28:b0: 02:2d:68:f2:66:cb:d7:14:6b:81:cf:e1:21:17:0f: cc:86:94:69:d1:92:b4:30:a6:bd:7d:2c:df:6a:92: 81:04:e3:08:b4:01:a2:6c:fd:a8:e9:98:c2:3e:19: dd:63:9b:63:a1:40:d6:23:df:60:5e:f7:90:df:0f: 1c:a0:05:4c:0b:37:6a:db:72:16:90:6e:2c:d0:5a: 0d:56:61:02:f1:3a:eb:16:95:6c:8f:ca:79:8a:39: 5a:11:3e:98:fd:39:0e:96:4f:92:bf:5a:42:cb:fe: e3:36:f8:bc:e6:85:e3:44:c4:d5:d8:16:27:e3:6c: 00:3a:b3:90:d0:16:95:bd:a9:3a:b5:2c:c7:d1:a3: d2:8b:8f:65:e3:a4:87:31:0d 82:a7:8e:8f:01:f2:8a:ed:95 Exponent: 65537 (0x10001) = Exponent: 65537 (0x10001) X509v3 extensions: X509v3 extensions: -+ X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: = X509v3 Subject Key Identifier: 7B:4C:B3:74:82:82:FC:9F:CD:34:B1:43:9B:BD:7E:F1:50:38:BF:D8 <> 42:9D:41:BB:4C:38:27:CC:39:A8:76:70:92:C3:8F:E9:51:78:E6:24 X509v3 Authority Key Identifier: = X509v3 Authority Key Identifier: keyid:7B:4C:B3:74:82:82:FC:9F:CD:34:B1:43:9B:BD:7E:F1:50:38:BF:D8 <> keyid:42:9D:41:BB:4C:38:27:CC:39:A8:76:70:92:C3:8F:E9:51:78:E6:24 DirName:/C=TR/ST=NA/O=Sakarya Universitesi/OU=IHSM/CN=dot1x.sakarya.edu.tr/emailaddress=i...@sakarya.edu.tr serial:D5:11:3B:F9:71:87:06:8D = X509v3 Basic Constraints: +- CA:TRUE Signature Algorithm: sha1WithRSAEncryption = Signature Algorithm: sha1WithRSAEncryption ca:9c:d7:07:28:d3:bb:37:fa:57:59:cc:c8:aa:f7:9b:24:c4: <> bc:17:86:06:d1:da:96:76:b5:63:50:8d:0c:44:9e:40:30:d5: a3:9f:aa:da:a3:5c:d4:2b:6d:24:e6:b0:42:0e:03:77:98:63: 9e:94:e9:94:36:79:d3:e3:c2:64:8f:7f:25:f2:44:2b:39:d7: 35:ec:7b:f4:f6:37:3f:98:58:17:7b:bd:75:
Re: eap/tls freeradius openssl
Cool, thanks. Brian On 1/13/09 4:58 PM, "John Dennis" wrote: > Brian Ertel wrote: >> Oh, and should I include the /i386 dir and the i386.rpm suffix like: >> >> rpm -Uhv /usr/src/redhat/RPMS/i386/freeradius-2.1.3-1.i386.rpm >> /usr/src/redhat/RPMS/i386/freeradius-libs-2.1.3-1.i386.rpm >> > Yes, use the filenames rpmbuild generated (it will tell you) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls freeradius openssl
Brian Ertel wrote: Oh, and should I include the /i386 dir and the i386.rpm suffix like: rpm -Uhv /usr/src/redhat/RPMS/i386/freeradius-2.1.3-1.i386.rpm /usr/src/redhat/RPMS/i386/freeradius-libs-2.1.3-1.i386.rpm Yes, use the filenames rpmbuild generated (it will tell you) -- John Dennis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls freeradius openssl
On Tue, 2009-01-13 at 16:38 -0500, Brian Ertel wrote: > Oh, and should I include the /i386 dir and the i386.rpm suffix like: > > rpm -Uhv /usr/src/redhat/RPMS/i386/freeradius-2.1.3-1.i386.rpm > /usr/src/redhat/RPMS/i386/freeradius-libs-2.1.3-1.i386.rpm > suggestion...make life easy on yourself cd /usr/src/redhat/RPMS/i386 yum localinstall \ freeradius-2.1.3-1.i386.rpm \ freeradius-libs-2.1.3-1.i386.rpm (yum localinstall will install the local rpm's and download/install any dependencies not yet installed) Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls freeradius openssl
Oh, and should I include the /i386 dir and the i386.rpm suffix like: rpm -Uhv /usr/src/redhat/RPMS/i386/freeradius-2.1.3-1.i386.rpm /usr/src/redhat/RPMS/i386/freeradius-libs-2.1.3-1.i386.rpm Thanks, Brian -Original Message- From: freeradius-users-bounces+bsertel=amherst@lists.freeradius.org on behalf of John Dennis Sent: Tue 1/13/2009 4:28 PM To: FreeRadius users mailing list Subject: Re: eap/tls freeradius openssl Brian Ertel wrote: > John, > > In the FAQ under the title Install the desired rpm's it reads: > > The rpm's under /usr/src/redhat/RPMS are the packages you'll want to install. > > % sudo rpm -Uhv /usr/src/redhat/SRPMS/freeradius-2.1.1-7.fc10.src.rpm > /usr/src/redhat/SRPMS/freeradius-libs-2.1.1-7.fc10.src.rpm > > Under the RPM dir I have an i386 dir which includes: > > freeradius-2.1.3-1.i386.rpmfreeradius-mysql-2.1.3-1.i386.rpm > freeradius-debuginfo-2.1.3-1.i386.rpm freeradius-perl-2.1.3-1.i386.rpm > freeradius-devel-2.1.3-1.i386.rpm freeradius-postgresql-2.1.3-1.i386.rpm > freeradius-krb5-2.1.3-1.i386.rpm freeradius-python-2.1.3-1.i386.rpm > freeradius-ldap-2.1.3-1.i386.rpm freeradius-unixODBC-2.1.3-1.i386.rpm > freeradius-libs-2.1.3-1.i386.rpm freeradius-utils-2.1.3-1.i386.rpm > > and the SRPM dir includes: > > freeradius-2.1.3-1.src.rpm > > so the only file that I have that is a .src.rpm file is > freeradius-2.1.3-1.src.rpm, how for example does the: > > rpm -Uhv /usr/src/redhat/SRPMS/freeradius-2.1.1-7.fc10.src.rpm > /usr/src/redhat/SRPMS/freeradius-libs-2.1.1-7.fc10.src.rpm command properly > install the freeradius-libs-2.1.3-1.i386.rpm file? In other words > freeradius-libs-2.1.3-1.i386.rpm is not a .src.rpm file right? > opps ... looks like you found another cut-n-paste bug in the documentation, my apologies. The rpm's are not under SRPM, they are under RPM and do not have ".src.rpm" at the end, they just have ".rpm". I've updated the wiki page. Thank you for helping to debug the instructions and I'm sorry if it sent you down a wrong path. -- John Dennis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls freeradius openssl
Thanks John, no prob. Brian On 1/13/09 4:28 PM, "John Dennis" wrote: > Brian Ertel wrote: >> John, >> >> In the FAQ under the title Install the desired rpm's it reads: >> >> The rpm's under /usr/src/redhat/RPMS are the packages you'll want to install. >> >> % sudo rpm -Uhv /usr/src/redhat/SRPMS/freeradius-2.1.1-7.fc10.src.rpm >> /usr/src/redhat/SRPMS/freeradius-libs-2.1.1-7.fc10.src.rpm >> >> Under the RPM dir I have an i386 dir which includes: >> >> freeradius-2.1.3-1.i386.rpmfreeradius-mysql-2.1.3-1.i386.rpm >> freeradius-debuginfo-2.1.3-1.i386.rpm freeradius-perl-2.1.3-1.i386.rpm >> freeradius-devel-2.1.3-1.i386.rpm freeradius-postgresql-2.1.3-1.i386.rpm >> freeradius-krb5-2.1.3-1.i386.rpm freeradius-python-2.1.3-1.i386.rpm >> freeradius-ldap-2.1.3-1.i386.rpm freeradius-unixODBC-2.1.3-1.i386.rpm >> freeradius-libs-2.1.3-1.i386.rpm freeradius-utils-2.1.3-1.i386.rpm >> >> and the SRPM dir includes: >> >> freeradius-2.1.3-1.src.rpm >> >> so the only file that I have that is a .src.rpm file is >> freeradius-2.1.3-1.src.rpm, how for example does the: >> >> rpm -Uhv /usr/src/redhat/SRPMS/freeradius-2.1.1-7.fc10.src.rpm >> /usr/src/redhat/SRPMS/freeradius-libs-2.1.1-7.fc10.src.rpm command properly >> install the freeradius-libs-2.1.3-1.i386.rpm file? In other words >> freeradius-libs-2.1.3-1.i386.rpm is not a .src.rpm file right? >> > opps ... looks like you found another cut-n-paste bug in the > documentation, my apologies. The rpm's are not under SRPM, they are > under RPM and do not have ".src.rpm" at the end, they just have ".rpm". > I've updated the wiki page. Thank you for helping to debug the > instructions and I'm sorry if it sent you down a wrong path. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls freeradius openssl
Brian Ertel wrote: John, In the FAQ under the title Install the desired rpm's it reads: The rpm's under /usr/src/redhat/RPMS are the packages you'll want to install. % sudo rpm -Uhv /usr/src/redhat/SRPMS/freeradius-2.1.1-7.fc10.src.rpm /usr/src/redhat/SRPMS/freeradius-libs-2.1.1-7.fc10.src.rpm Under the RPM dir I have an i386 dir which includes: freeradius-2.1.3-1.i386.rpmfreeradius-mysql-2.1.3-1.i386.rpm freeradius-debuginfo-2.1.3-1.i386.rpm freeradius-perl-2.1.3-1.i386.rpm freeradius-devel-2.1.3-1.i386.rpm freeradius-postgresql-2.1.3-1.i386.rpm freeradius-krb5-2.1.3-1.i386.rpm freeradius-python-2.1.3-1.i386.rpm freeradius-ldap-2.1.3-1.i386.rpm freeradius-unixODBC-2.1.3-1.i386.rpm freeradius-libs-2.1.3-1.i386.rpm freeradius-utils-2.1.3-1.i386.rpm and the SRPM dir includes: freeradius-2.1.3-1.src.rpm so the only file that I have that is a .src.rpm file is freeradius-2.1.3-1.src.rpm, how for example does the: rpm -Uhv /usr/src/redhat/SRPMS/freeradius-2.1.1-7.fc10.src.rpm /usr/src/redhat/SRPMS/freeradius-libs-2.1.1-7.fc10.src.rpm command properly install the freeradius-libs-2.1.3-1.i386.rpm file? In other words freeradius-libs-2.1.3-1.i386.rpm is not a .src.rpm file right? opps ... looks like you found another cut-n-paste bug in the documentation, my apologies. The rpm's are not under SRPM, they are under RPM and do not have ".src.rpm" at the end, they just have ".rpm". I've updated the wiki page. Thank you for helping to debug the instructions and I'm sorry if it sent you down a wrong path. -- John Dennis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls freeradius openssl
John, In the FAQ under the title Install the desired rpm's it reads: The rpm's under /usr/src/redhat/RPMS are the packages you'll want to install. % sudo rpm -Uhv /usr/src/redhat/SRPMS/freeradius-2.1.1-7.fc10.src.rpm /usr/src/redhat/SRPMS/freeradius-libs-2.1.1-7.fc10.src.rpm Under the RPM dir I have an i386 dir which includes: freeradius-2.1.3-1.i386.rpmfreeradius-mysql-2.1.3-1.i386.rpm freeradius-debuginfo-2.1.3-1.i386.rpm freeradius-perl-2.1.3-1.i386.rpm freeradius-devel-2.1.3-1.i386.rpm freeradius-postgresql-2.1.3-1.i386.rpm freeradius-krb5-2.1.3-1.i386.rpm freeradius-python-2.1.3-1.i386.rpm freeradius-ldap-2.1.3-1.i386.rpm freeradius-unixODBC-2.1.3-1.i386.rpm freeradius-libs-2.1.3-1.i386.rpm freeradius-utils-2.1.3-1.i386.rpm and the SRPM dir includes: freeradius-2.1.3-1.src.rpm so the only file that I have that is a .src.rpm file is freeradius-2.1.3-1.src.rpm, how for example does the: rpm -Uhv /usr/src/redhat/SRPMS/freeradius-2.1.1-7.fc10.src.rpm /usr/src/redhat/SRPMS/freeradius-libs-2.1.1-7.fc10.src.rpm command properly install the freeradius-libs-2.1.3-1.i386.rpm file? In other words freeradius-libs-2.1.3-1.i386.rpm is not a .src.rpm file right? Brian -Original Message- From: freeradius-users-bounces+bsertel=amherst@lists.freeradius.org on behalf of John Dennis Sent: Tue 1/13/2009 1:33 PM To: FreeRadius users mailing list Subject: Re: eap/tls freeradius openssl Craig White wrote: On Tue, 2009-01-13 at 11:46 -0500, John Dennis wrote: Brian Ertel wrote: John, You are right, but the dir where the old radius was "make installed" is gone. That is the original folder that was created after unzipping and installing the old ver. Of radius is gone. Is there anything else I can do? You can recreate the tree, follow the same steps you did the first time which was probably something like this: % tar xf freeradius-server.tar % cd freeradius-server % ./configure #passing the exact same parameters you used the first time % make Now instead of "make install" run make "make uninstall" Then you can delete the source tree. BTW, all this is basic Linux/Unix administration, the freeradius-users list is not an appropriate place to learn these topics. seems to me that it attempts to load the files he installed from tarball that are in /usr/local/[bin|sbin] and that is what he needs to clean out before he ever attempts to use anything installed from rpm Exactly. FWIW the paths are embedded as a consequence of parameters passed to configure. When you build from an SRPM the spec file passes different parameters to configure than the default configure parameters, thus the two installs will not likely conflict, but it's possible. Therefore the best course of action, to assure there are no conflicts and to reduce the inevitable confusion of having multiple copies installed in various locations is to remove the first installation and then do an RPM install. An install copies many files into a variety of locations, the only way to assure you've removed all the files to use the same code to uninstall as was used to perform the install in the first place. BTW, this is one reason why using the package manager on the target system (e.g. rpm, apt, dpkg, etc.) is always preferred because they know how to install and uninstall and keep a system consistent. When you go behind the back of these package managers by installing things manually (e.g. make install) you run the risk of screwing your system up unless you have advanced skills and know exactly what you're doing. -- John Dennis <mailto:jden...@redhat.com> <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls freeradius openssl
On Tue, 2009-01-13 at 13:33 -0500, John Dennis wrote: > Craig White wrote: > > On Tue, 2009-01-13 at 11:46 -0500, John Dennis wrote: > > > > > Brian Ertel wrote: > > > > > > > John, > > > > > > > > You are right, but the dir where the old radius was "make installed" is > > > > gone. That is the original folder that was created after unzipping and > > > > installing the old ver. Of radius is gone. Is there anything else I > > > > can do? > > > > > > > > > > > You can recreate the tree, follow the same steps you did the first time > > > which was probably something like this: > > > > > > % tar xf freeradius-server.tar > > > % cd freeradius-server > > > % ./configure #passing the exact same parameters you used the first time > > > % make > > > > > > Now instead of "make install" run make "make uninstall" > > > > > > Then you can delete the source tree. > > > > > > BTW, all this is basic Linux/Unix administration, the freeradius-users > > > list is not an appropriate place to learn these topics. > > > > > > > seems to me that it attempts to load the files he installed from tarball > > that are in /usr/local/[bin|sbin] and that is what he needs to clean out > > before he ever attempts to use anything installed from rpm > > > Exactly. FWIW the paths are embedded as a consequence of parameters > passed to configure. When you build from an SRPM the spec file passes > different parameters to configure than the default configure > parameters, thus the two installs will not likely conflict, but it's > possible. Therefore the best course of action, to assure there are no > conflicts and to reduce the inevitable confusion of having multiple > copies installed in various locations is to remove the first > installation and then do an RPM install. > > An install copies many files into a variety of locations, the only way > to assure you've removed all the files to use the same code to > uninstall as was used to perform the install in the first place. > > BTW, this is one reason why using the package manager on the target > system (e.g. rpm, apt, dpkg, etc.) is always preferred because they > know how to install and uninstall and keep a system consistent. When > you go behind the back of these package managers by installing things > manually (e.g. make install) you run the risk of screwing your system > up unless you have advanced skills and know exactly what you're doing. and 'make uninstall' often is simply not implemented in tarballs anyway. Seeing the OP trying to install tarballs and rpm packages seems to be a lesson in futility and I always opt for rpms if at all possible, just for the reasons that you mentioned. I actually rebuilt the F10 rpms before I saw your wiki page and like about the day before you announced the 2.1.3 package in testing so I'm sorry I didn't provide any useful feedback to either. Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls freeradius openssl
Craig White wrote: On Tue, 2009-01-13 at 11:46 -0500, John Dennis wrote: Brian Ertel wrote: John, You are right, but the dir where the old radius was "make installed" is gone. That is the original folder that was created after unzipping and installing the old ver. Of radius is gone. Is there anything else I can do? You can recreate the tree, follow the same steps you did the first time which was probably something like this: % tar xf freeradius-server.tar % cd freeradius-server % ./configure #passing the exact same parameters you used the first time % make Now instead of "make install" run make "make uninstall" Then you can delete the source tree. BTW, all this is basic Linux/Unix administration, the freeradius-users list is not an appropriate place to learn these topics. seems to me that it attempts to load the files he installed from tarball that are in /usr/local/[bin|sbin] and that is what he needs to clean out before he ever attempts to use anything installed from rpm Exactly. FWIW the paths are embedded as a consequence of parameters passed to configure. When you build from an SRPM the spec file passes different parameters to configure than the default configure parameters, thus the two installs will not likely conflict, but it's possible. Therefore the best course of action, to assure there are no conflicts and to reduce the inevitable confusion of having multiple copies installed in various locations is to remove the first installation and then do an RPM install. An install copies many files into a variety of locations, the only way to assure you've removed all the files to use the same code to uninstall as was used to perform the install in the first place. BTW, this is one reason why using the package manager on the target system (e.g. rpm, apt, dpkg, etc.) is always preferred because they know how to install and uninstall and keep a system consistent. When you go behind the back of these package managers by installing things manually (e.g. make install) you run the risk of screwing your system up unless you have advanced skills and know exactly what you're doing. -- John Dennis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
