Re: rlm eap problem
Hi, > But now I get following errors, but now I don't know what's to do... > > > rlm_eap: SSL error error::lib(0):func(0):reason(0) > rlm_eap_tls: Error loading randomness > rlm_eap: Failed to initialize type tls > /mypath/freeradius/etc/raddb/eap.conf[17]: Instantiation failed for module > "eap" your eap.conf is still broken - this time because of the random file. the default install with no playing around would have created a reasonable starting config with eap workingyou could then have just edited eap.conf and put your own certificates into place afterwards. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm eap problem
Do these files exist? dh_file = ${certdir}/dh random_file = ${certdir}/random Hints here: http://www.mail-archive.com/freeradius-us...@lists.cistron.nl/msg09589.html > -Original Message- > From: freeradius-users- > bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- > users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of > Michael Ziemann > Sent: Friday, May 29, 2009 9:19 AM > To: FreeRadius users mailing list > Subject: AW: rlm eap problem > > Hi there, > > Yes, of course you were right, the file was named server.pem :) -> bad > mistake, sry... > > But now I get following errors, but now I don't know what's to do... > > > rlm_eap: SSL error error::lib(0):func(0):reason(0) > rlm_eap_tls: Error loading randomness > rlm_eap: Failed to initialize type tls > /mypath/freeradius/etc/raddb/eap.conf[17]: Instantiation failed for > module "eap" > /mypath/freeradius/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to > find module "eap". > /mypath/freeradius/etc/raddb/sites-enabled/inner-tunnel[176]: Errors > parsing authenticate section. > } > } > Errors initializing modules > > > Sorry guys, but I don't have any experience with certificates ... > > Thanks > > Michael > > > That's my eap.conf: > > > # -*- text -*- > ## > ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) > ## > ##$Id$ > > ### > # > # Whatever you do, do NOT set 'Auth-Type := EAP'. The server > # is smart enough to figure this out on its own. The most > # common side effect of setting 'Auth-Type := EAP' is that the > # users then cannot use ANY other authentication method. > # > # EAP types NOT listed here may be supported via the "eap2" module. > # See experimental.conf for documentation. > # > eap { > # Invoke the default supported EAP type when > # EAP-Identity response is received. > # > # The incoming EAP messages DO NOT specify which EAP > # type they will be using, so it MUST be set here. > # > # For now, only one default EAP type may be used at a > time. > # > # If the EAP-Type attribute is set by another module, > # then that EAP type takes precedence over the > # default type configured here. > # > default_eap_type = md5 > > # A list is maintained to correlate EAP-Response > # packets with EAP-Request packets. After a > # configurable length of time, entries in the list > # expire, and are deleted. > # > timer_expire = 60 > > # There are many EAP types, but the server has support > # for only a limited subset. If the server receives > # a request for an EAP type it does not support, then > # it normally rejects the request. By setting this > # configuration to "yes", you can tell the server to > # instead keep processing the request. Another module > # MUST then be configured to proxy the request to > # another RADIUS server which supports that EAP type. > # > # If another module is NOT configured to handle the > # request, then the request will still end up being > # rejected. > ignore_unknown_eap_types = no > > # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given > # a User-Name attribute in an Access-Accept, it copies one > # more byte than it should. > # > # We can work around it by configurably adding an extra > # zero byte. > cisco_accounting_username_bug = no > > # > # Help prevent DoS attacks by limiting the number of > # sessions that the server is tracking. Most systems > # can handle ~30 EAP sessions/s, so the default limit > # of 2048 is more than enough. > max_sessions = 2048 > > # Supported EAP-types > > # > # We do NOT recommend using EAP-MD5 authentication > # for wireless connections. It is insecure, and does > # not provide for dynamic WEP keys. > # &
AW: rlm eap problem
# # The tunneled EAP session needs a default EAP type # which is separate from the one for the non-tunneled # EAP module. Inside of the TLS/PEAP tunnel, we # recommend using EAP-MS-CHAPv2. # # The PEAP module needs the TLS module to be installed # and configured, in order to use the TLS tunnel # inside of the EAP packet. You will still need to # configure the TLS module, even if you do not want # to deploy EAP-TLS in your network. Users will not # be able to request EAP-TLS, as it requires them to # have a client certificate. EAP-PEAP does not # require a client certificate. # # # You can make PEAP require a client cert by setting # # EAP-TLS-Require-Client-Cert = Yes # # in the control items for a request. # peap { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # PEAP tunnel, we recommend using MS-CHAPv2, # as that is the default type supported by # Windows clients. default_eap_type = mschapv2 # the PEAP module also has these configuration # items, which are the same as for TTLS. copy_request_to_tunnel = no use_tunneled_reply = no # When the tunneled session is proxied, the # home server may not understand EAP-MSCHAP-V2. # Set this entry to "no" to proxy the tunneled # EAP-MSCHAP-V2 as normal MSCHAPv2. # proxy_tunneled_request_as_eap = yes # # The inner tunneled request can be sent # through a virtual server constructed # specifically for this purpose. # # If this entry is commented out, the inner # tunneled request will be sent through # the virtual server that processed the # outer requests. # virtual_server = "inner-tunnel" } # # This takes no configuration. # # Note that it is the EAP MS-CHAPv2 sub-module, not # the main 'mschap' module. # # Note also that in order for this sub-module to work, # the main 'mschap' module MUST ALSO be configured. # # This module is the *Microsoft* implementation of MS-CHAPv2 # in EAP. There is another (incompatible) implementation # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not # currently support. # mschapv2 { } } -Ursprüngliche Nachricht- Von: freeradius-users-bounces+michael.ziemann=herber-herber...@lists.freeradius.org [mailto:freeradius-users-bounces+michael.ziemann=herber-herber...@lists.freeradius.org] Im Auftrag von a.l.m.bu...@lboro.ac.uk Gesendet: Freitag, 29. Mai 2009 15:54 An: FreeRadius users mailing list Betreff: Re: rlm eap problem Hi, > Now I got a new problem with rlm_eap and the server doesn't start > anymore. You were right, I commented $INCLUDE sites-enabled/ in > radiusd.conf. the errors are clear enough! > Module: Instantiating eap-tls >tls { > rsa_key_exchange = no > dh_key_exchange = yes > rsa_key_length = 512 > dh_key_length = 512 > verify_depth = 0 > pem_file_type = yes > private_key_file = > "/mypath/freeradius/etc/raddb/certs/server.pem" > certificate_file = > "/mypath/freeradius/etc/raddb/certs/server.pem" > CA_file = "/mypath/freeradius/etc/raddb/certs/ca.pem" > private_key_password = "whatever" > dh_file = "/mypath/freeradius/etc/raddb/certs/dh" > random_file = "/mypath/freeradius/etc/raddb/certs/random" > fragment_size = 1024 > include_length = yes > check_crl = no > cipher_list = "DEFAULT" > make_cert_command = > "/mypath/freeradius/etc/raddb/certs/bootstrap&qu
Re: rlm eap problem
> Now I got a new problem with rlm_eap and the server doesn't start > anymore. You were right, I commented $INCLUDE sites-enabled/ in > radiusd.conf. > > > So what can I do now? ... > rlm_eap: SSL error error:02001002:system library:fopen:No such file or > directory > rlm_eap_tls: Error reading Trusted root CA list > /mypath/freeradius/etc/raddb/certs/ca.pem Nothing mysterious about that error. Is the file there? Permissions? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm eap problem
Hi, > Now I got a new problem with rlm_eap and the server doesn't start > anymore. You were right, I commented $INCLUDE sites-enabled/ in > radiusd.conf. the errors are clear enough! > Module: Instantiating eap-tls >tls { > rsa_key_exchange = no > dh_key_exchange = yes > rsa_key_length = 512 > dh_key_length = 512 > verify_depth = 0 > pem_file_type = yes > private_key_file = > "/mypath/freeradius/etc/raddb/certs/server.pem" > certificate_file = > "/mypath/freeradius/etc/raddb/certs/server.pem" > CA_file = "/mypath/freeradius/etc/raddb/certs/ca.pem" > private_key_password = "whatever" > dh_file = "/mypath/freeradius/etc/raddb/certs/dh" > random_file = "/mypath/freeradius/etc/raddb/certs/random" > fragment_size = 1024 > include_length = yes > check_crl = no > cipher_list = "DEFAULT" > make_cert_command = > "/mypath/freeradius/etc/raddb/certs/bootstrap" > cache { > enable = no > lifetime = 24 > max_entries = 255 > } >} > rlm_eap: SSL error error:02001002:system library:fopen:No such file or > directory > rlm_eap_tls: Error reading Trusted root CA list > /mypath/freeradius/etc/raddb/certs/ca.pem ^^^ ta da! what couldnt be clearer? does that file exist, if so does it have the correct permissions? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm eap problem
Hi folks, Now I got a new problem with rlm_eap and the server doesn't start anymore. You were right, I commented $INCLUDE sites-enabled/ in radiusd.conf. So what can I do now? Best regards Michael FreeRADIUS Version 2.1.5, for host i686-pc-linux-gnu, built on Mar 26 2009 at 14:24:27 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /mypath/freeradius/etc/raddb/radiusd.conf including configuration file /mypath/freeradius/etc/raddb/proxy.conf including configuration file /mypath/freeradius/etc/raddb/clients.conf including files in directory /mypath/freeradius/etc/raddb/modules/ including configuration file /mypath/freeradius/etc/raddb/modules/chap including configuration file /mypath/freeradius/etc/raddb/modules/acct_unique including configuration file /mypath/freeradius/etc/raddb/modules/always including configuration file /mypath/freeradius/etc/raddb/modules/attr_filter including configuration file /mypath/freeradius/etc/raddb/modules/attr_rewrite including configuration file /mypath/freeradius/etc/raddb/modules/checkval including configuration file /mypath/freeradius/etc/raddb/modules/counter including configuration file /mypath/freeradius/etc/raddb/modules/detail including configuration file /mypath/freeradius/etc/raddb/modules/detail.example.com including configuration file /mypath/freeradius/etc/raddb/modules/detail.log including configuration file /mypath/freeradius/etc/raddb/modules/digest including configuration file /mypath/freeradius/etc/raddb/modules/echo including configuration file /mypath/freeradius/etc/raddb/modules/etc_group including configuration file /mypath/freeradius/etc/raddb/modules/exec including configuration file /mypath/freeradius/etc/raddb/modules/expiration including configuration file /mypath/freeradius/etc/raddb/modules/expr including configuration file /mypath/freeradius/etc/raddb/modules/files including configuration file /mypath/freeradius/etc/raddb/modules/inner-eap including configuration file /mypath/freeradius/etc/raddb/modules/ippool including configuration file /mypath/freeradius/etc/raddb/modules/krb5 including configuration file /mypath/freeradius/etc/raddb/modules/ldap including configuration file /mypath/freeradius/etc/raddb/modules/linelog including configuration file /mypath/freeradius/etc/raddb/modules/logintime including configuration file /mypath/freeradius/etc/raddb/modules/mac2ip including configuration file /mypath/freeradius/etc/raddb/modules/mac2vlan including configuration file /mypath/freeradius/etc/raddb/modules/mschap including configuration file /mypath/freeradius/etc/raddb/modules/otp including configuration file /mypath/freeradius/etc/raddb/modules/pam including configuration file /mypath/freeradius/etc/raddb/modules/pap including configuration file /mypath/freeradius/etc/raddb/modules/passwd including configuration file /mypath/freeradius/etc/raddb/modules/perl including configuration file /mypath/freeradius/etc/raddb/modules/policy including configuration file /mypath/freeradius/etc/raddb/modules/preprocess including configuration file /mypath/freeradius/etc/raddb/modules/radutmp including configuration file /mypath/freeradius/etc/raddb/modules/realm including configuration file /mypath/freeradius/etc/raddb/modules/smbpasswd including configuration file /mypath/freeradius/etc/raddb/modules/smsotp including configuration file /mypath/freeradius/etc/raddb/modules/sql_log including configuration file /mypath/freeradius/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /mypath/freeradius/etc/raddb/modules/sradutmp including configuration file /mypath/freeradius/etc/raddb/modules/unix including configuration file /mypath/freeradius/etc/raddb/modules/wimax including configuration file /mypath/freeradius/etc/raddb/eap.conf including configuration file /mypath/freeradius/etc/raddb/sql.conf including configuration file /mypath/freeradius/etc/raddb/sql/mysql/dialup.conf including configuration file /mypath/freeradius/etc/raddb/policy.conf including files in directory /mypath/freeradius/etc/raddb/sites-enabled/ including configuration file /mypath/freeradius/etc/raddb/sites-enabled/default including configuration file /mypath/freeradius/etc/raddb/sites-enabled/inner-tunnel including configuration file /mypath/freeradius/etc/raddb/sites-enabled/control-socket including dictionary file /mypath/freeradius/etc/raddb/dictionary main { prefix = "/mypath/freeradius" localstatedir = "/mypath/freeradius/var" logdir = "/mypath/freeradius/var/log/radius" libdir = "/mypath/freeradius/lib" radacctdir = "/mypath/freeradius/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay