Re: rlm eap problem
Hi, > But now I get following errors, but now I don't know what's to do... > > > rlm_eap: SSL error error::lib(0):func(0):reason(0) > rlm_eap_tls: Error loading randomness > rlm_eap: Failed to initialize type tls > /mypath/freeradius/etc/raddb/eap.conf[17]: Instantiation failed for module > "eap" your eap.conf is still broken - this time because of the random file. the default install with no playing around would have created a reasonable starting config with eap workingyou could then have just edited eap.conf and put your own certificates into place afterwards. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm eap problem
Do these files exist?
dh_file = ${certdir}/dh
random_file = ${certdir}/random
Hints here:
http://www.mail-archive.com/freeradius-us...@lists.cistron.nl/msg09589.html
> -Original Message-
> From: freeradius-users-
> bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-
> users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of
> Michael Ziemann
> Sent: Friday, May 29, 2009 9:19 AM
> To: FreeRadius users mailing list
> Subject: AW: rlm eap problem
>
> Hi there,
>
> Yes, of course you were right, the file was named server.pem :) -> bad
> mistake, sry...
>
> But now I get following errors, but now I don't know what's to do...
>
>
> rlm_eap: SSL error error::lib(0):func(0):reason(0)
> rlm_eap_tls: Error loading randomness
> rlm_eap: Failed to initialize type tls
> /mypath/freeradius/etc/raddb/eap.conf[17]: Instantiation failed for
> module "eap"
> /mypath/freeradius/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to
> find module "eap".
> /mypath/freeradius/etc/raddb/sites-enabled/inner-tunnel[176]: Errors
> parsing authenticate section.
> }
> }
> Errors initializing modules
>
>
> Sorry guys, but I don't have any experience with certificates ...
>
> Thanks
>
> Michael
>
>
> That's my eap.conf:
>
>
> # -*- text -*-
> ##
> ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
> ##
> ##$Id$
>
> ###
> #
> # Whatever you do, do NOT set 'Auth-Type := EAP'. The server
> # is smart enough to figure this out on its own. The most
> # common side effect of setting 'Auth-Type := EAP' is that the
> # users then cannot use ANY other authentication method.
> #
> # EAP types NOT listed here may be supported via the "eap2" module.
> # See experimental.conf for documentation.
> #
> eap {
> # Invoke the default supported EAP type when
> # EAP-Identity response is received.
> #
> # The incoming EAP messages DO NOT specify which EAP
> # type they will be using, so it MUST be set here.
> #
> # For now, only one default EAP type may be used at a
> time.
> #
> # If the EAP-Type attribute is set by another module,
> # then that EAP type takes precedence over the
> # default type configured here.
> #
> default_eap_type = md5
>
> # A list is maintained to correlate EAP-Response
> # packets with EAP-Request packets. After a
> # configurable length of time, entries in the list
> # expire, and are deleted.
> #
> timer_expire = 60
>
> # There are many EAP types, but the server has support
> # for only a limited subset. If the server receives
> # a request for an EAP type it does not support, then
> # it normally rejects the request. By setting this
> # configuration to "yes", you can tell the server to
> # instead keep processing the request. Another module
> # MUST then be configured to proxy the request to
> # another RADIUS server which supports that EAP type.
> #
> # If another module is NOT configured to handle the
> # request, then the request will still end up being
> # rejected.
> ignore_unknown_eap_types = no
>
> # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
> # a User-Name attribute in an Access-Accept, it copies one
> # more byte than it should.
> #
> # We can work around it by configurably adding an extra
> # zero byte.
> cisco_accounting_username_bug = no
>
> #
> # Help prevent DoS attacks by limiting the number of
> # sessions that the server is tracking. Most systems
> # can handle ~30 EAP sessions/s, so the default limit
> # of 2048 is more than enough.
> max_sessions = 2048
>
> # Supported EAP-types
>
> #
> # We do NOT recommend using EAP-MD5 authentication
> # for wireless connections. It is insecure, and does
> # not provide for dynamic WEP keys.
> #
&
AW: rlm eap problem
#
# The tunneled EAP session needs a default EAP type
# which is separate from the one for the non-tunneled
# EAP module. Inside of the TLS/PEAP tunnel, we
# recommend using EAP-MS-CHAPv2.
#
# The PEAP module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
# inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# have a client certificate. EAP-PEAP does not
# require a client certificate.
#
#
# You can make PEAP require a client cert by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
copy_request_to_tunnel = no
use_tunneled_reply = no
# When the tunneled session is proxied, the
# home server may not understand EAP-MSCHAP-V2.
# Set this entry to "no" to proxy the tunneled
# EAP-MSCHAP-V2 as normal MSCHAPv2.
# proxy_tunneled_request_as_eap = yes
#
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
#
virtual_server = "inner-tunnel"
}
#
# This takes no configuration.
#
# Note that it is the EAP MS-CHAPv2 sub-module, not
# the main 'mschap' module.
#
# Note also that in order for this sub-module to work,
# the main 'mschap' module MUST ALSO be configured.
#
# This module is the *Microsoft* implementation of MS-CHAPv2
# in EAP. There is another (incompatible) implementation
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
# currently support.
#
mschapv2 {
}
}
-Ursprüngliche Nachricht-
Von:
freeradius-users-bounces+michael.ziemann=herber-herber...@lists.freeradius.org
[mailto:freeradius-users-bounces+michael.ziemann=herber-herber...@lists.freeradius.org]
Im Auftrag von a.l.m.bu...@lboro.ac.uk
Gesendet: Freitag, 29. Mai 2009 15:54
An: FreeRadius users mailing list
Betreff: Re: rlm eap problem
Hi,
> Now I got a new problem with rlm_eap and the server doesn't start
> anymore. You were right, I commented $INCLUDE sites-enabled/ in
> radiusd.conf.
the errors are clear enough!
> Module: Instantiating eap-tls
>tls {
> rsa_key_exchange = no
> dh_key_exchange = yes
> rsa_key_length = 512
> dh_key_length = 512
> verify_depth = 0
> pem_file_type = yes
> private_key_file =
> "/mypath/freeradius/etc/raddb/certs/server.pem"
> certificate_file =
> "/mypath/freeradius/etc/raddb/certs/server.pem"
> CA_file = "/mypath/freeradius/etc/raddb/certs/ca.pem"
> private_key_password = "whatever"
> dh_file = "/mypath/freeradius/etc/raddb/certs/dh"
> random_file = "/mypath/freeradius/etc/raddb/certs/random"
> fragment_size = 1024
> include_length = yes
> check_crl = no
> cipher_list = "DEFAULT"
> make_cert_command =
> "/mypath/freeradius/etc/raddb/certs/bootstrap&qu
Re: rlm eap problem
> Now I got a new problem with rlm_eap and the server doesn't start > anymore. You were right, I commented $INCLUDE sites-enabled/ in > radiusd.conf. > > > So what can I do now? ... > rlm_eap: SSL error error:02001002:system library:fopen:No such file or > directory > rlm_eap_tls: Error reading Trusted root CA list > /mypath/freeradius/etc/raddb/certs/ca.pem Nothing mysterious about that error. Is the file there? Permissions? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm eap problem
Hi,
> Now I got a new problem with rlm_eap and the server doesn't start
> anymore. You were right, I commented $INCLUDE sites-enabled/ in
> radiusd.conf.
the errors are clear enough!
> Module: Instantiating eap-tls
>tls {
> rsa_key_exchange = no
> dh_key_exchange = yes
> rsa_key_length = 512
> dh_key_length = 512
> verify_depth = 0
> pem_file_type = yes
> private_key_file =
> "/mypath/freeradius/etc/raddb/certs/server.pem"
> certificate_file =
> "/mypath/freeradius/etc/raddb/certs/server.pem"
> CA_file = "/mypath/freeradius/etc/raddb/certs/ca.pem"
> private_key_password = "whatever"
> dh_file = "/mypath/freeradius/etc/raddb/certs/dh"
> random_file = "/mypath/freeradius/etc/raddb/certs/random"
> fragment_size = 1024
> include_length = yes
> check_crl = no
> cipher_list = "DEFAULT"
> make_cert_command =
> "/mypath/freeradius/etc/raddb/certs/bootstrap"
> cache {
> enable = no
> lifetime = 24
> max_entries = 255
> }
>}
> rlm_eap: SSL error error:02001002:system library:fopen:No such file or
> directory
> rlm_eap_tls: Error reading Trusted root CA list
> /mypath/freeradius/etc/raddb/certs/ca.pem
^^^
ta da! what couldnt be clearer? does that file exist, if so does it have
the correct permissions?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm eap problem
Hi folks,
Now I got a new problem with rlm_eap and the server doesn't start
anymore. You were right, I commented $INCLUDE sites-enabled/ in
radiusd.conf.
So what can I do now?
Best regards
Michael
FreeRADIUS Version 2.1.5, for host i686-pc-linux-gnu, built on Mar 26
2009 at 14:24:27
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /mypath/freeradius/etc/raddb/radiusd.conf
including configuration file /mypath/freeradius/etc/raddb/proxy.conf
including configuration file /mypath/freeradius/etc/raddb/clients.conf
including files in directory /mypath/freeradius/etc/raddb/modules/
including configuration file /mypath/freeradius/etc/raddb/modules/chap
including configuration file
/mypath/freeradius/etc/raddb/modules/acct_unique
including configuration file /mypath/freeradius/etc/raddb/modules/always
including configuration file
/mypath/freeradius/etc/raddb/modules/attr_filter
including configuration file
/mypath/freeradius/etc/raddb/modules/attr_rewrite
including configuration file
/mypath/freeradius/etc/raddb/modules/checkval
including configuration file
/mypath/freeradius/etc/raddb/modules/counter
including configuration file /mypath/freeradius/etc/raddb/modules/detail
including configuration file
/mypath/freeradius/etc/raddb/modules/detail.example.com
including configuration file
/mypath/freeradius/etc/raddb/modules/detail.log
including configuration file /mypath/freeradius/etc/raddb/modules/digest
including configuration file /mypath/freeradius/etc/raddb/modules/echo
including configuration file
/mypath/freeradius/etc/raddb/modules/etc_group
including configuration file /mypath/freeradius/etc/raddb/modules/exec
including configuration file
/mypath/freeradius/etc/raddb/modules/expiration
including configuration file /mypath/freeradius/etc/raddb/modules/expr
including configuration file /mypath/freeradius/etc/raddb/modules/files
including configuration file
/mypath/freeradius/etc/raddb/modules/inner-eap
including configuration file /mypath/freeradius/etc/raddb/modules/ippool
including configuration file /mypath/freeradius/etc/raddb/modules/krb5
including configuration file /mypath/freeradius/etc/raddb/modules/ldap
including configuration file
/mypath/freeradius/etc/raddb/modules/linelog
including configuration file
/mypath/freeradius/etc/raddb/modules/logintime
including configuration file /mypath/freeradius/etc/raddb/modules/mac2ip
including configuration file
/mypath/freeradius/etc/raddb/modules/mac2vlan
including configuration file /mypath/freeradius/etc/raddb/modules/mschap
including configuration file /mypath/freeradius/etc/raddb/modules/otp
including configuration file /mypath/freeradius/etc/raddb/modules/pam
including configuration file /mypath/freeradius/etc/raddb/modules/pap
including configuration file /mypath/freeradius/etc/raddb/modules/passwd
including configuration file /mypath/freeradius/etc/raddb/modules/perl
including configuration file /mypath/freeradius/etc/raddb/modules/policy
including configuration file
/mypath/freeradius/etc/raddb/modules/preprocess
including configuration file
/mypath/freeradius/etc/raddb/modules/radutmp
including configuration file /mypath/freeradius/etc/raddb/modules/realm
including configuration file
/mypath/freeradius/etc/raddb/modules/smbpasswd
including configuration file /mypath/freeradius/etc/raddb/modules/smsotp
including configuration file
/mypath/freeradius/etc/raddb/modules/sql_log
including configuration file
/mypath/freeradius/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file
/mypath/freeradius/etc/raddb/modules/sradutmp
including configuration file /mypath/freeradius/etc/raddb/modules/unix
including configuration file /mypath/freeradius/etc/raddb/modules/wimax
including configuration file /mypath/freeradius/etc/raddb/eap.conf
including configuration file /mypath/freeradius/etc/raddb/sql.conf
including configuration file
/mypath/freeradius/etc/raddb/sql/mysql/dialup.conf
including configuration file /mypath/freeradius/etc/raddb/policy.conf
including files in directory /mypath/freeradius/etc/raddb/sites-enabled/
including configuration file
/mypath/freeradius/etc/raddb/sites-enabled/default
including configuration file
/mypath/freeradius/etc/raddb/sites-enabled/inner-tunnel
including configuration file
/mypath/freeradius/etc/raddb/sites-enabled/control-socket
including dictionary file /mypath/freeradius/etc/raddb/dictionary
main {
prefix = "/mypath/freeradius"
localstatedir = "/mypath/freeradius/var"
logdir = "/mypath/freeradius/var/log/radius"
libdir = "/mypath/freeradius/lib"
radacctdir = "/mypath/freeradius/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay
