Freeradius+Active directory - router login authentciation

Turbo Fredriksson turbo at dagdrivarn.se
Mon Sep 10 13:06:29 CEST 2007 

Quoting "Rakesh Jha" <rakesh at burgan.com>:

I'm far from an expert in FreeRADIUS (so take what I say with a
grane of salt), but I instantly noticed this.

>  tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
>  tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
>  tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
>  tls: check_cert_cn = "(null)"
>  tls: cipher_list = "(null)"
>  tls: check_cert_issuer = "(null)"
> rlm_eap_tls: Loading the certificate file as a chain
> rlm_eap_tls: Unable to open DH file - (null)
> rlm_eap: Failed to initialize type tls

It can't open the 'DH file' (don't quite know which one that is),
but I would assume that it's some (or maybe all?) of the first
three files. Do they exist? Does the freeradius daemon have the
right to _read_ those files (are you running the daemon under some
user _not_ root). I run (default in Debian GNU/Linux) the daemon
under the 'freerad' user so this user must be able to read the
files mentioned (AND have the right to access all directory paths
before it).

Also, the 'check_cert_cn' is empty. If you don't use it, uncomment
it in the config file. probably goes for the options 'check_cert_cn'
and 'check_cert_issuer' to.

I DO use them, and my eap.conf file looks like this:

----- s n i p -----
celia:~# egrep 'check_cert_issuer|check_cert_cn|cipher_list' /etc/freeradius/eap.conf 
                        check_cert_issuer = "<see below>"
                        check_cert_cn = %{User-Name}
                        cipher_list = "DEFAULT"
----- s n i p -----

The 'check_cert_issuer' value is a little personal (something
I wouldn't want to post to the 'Net) but is the value
found in the 'subject' line when running the command:

  openssl x509 -subject -noout -in <cacert>

----- s n i p -----
celia:~# openssl x509 -subject -noout -in /etc/ssl/CA/cacert.pem
subject= <secret>
----- s n i p -----

> radiusd.conf[10]: eap: Module instantiation failed.
> radiusd.conf[1962] Unknown module "eap".
> radiusd.conf[1909] Failed to parse authenticate section.

These will probably go away once you have fixed the tls parts
above...

> As you have written 'as are most "helpful" pages not on freeradius.org',
> can you please suggest some links which guide correctly to configure
> radius, openssl and active directory.

I think Alan is a little 'judgmental' (wrong choice, but I
can't quite get the exact translation of what I meant) if here.
I would to if (since!) people don't think for them self and
only follow external 'documentation' by the letter without
trying to actually understand what it means...

Following ANY documentation require UNDERSTANDING! Not HOW,
but WHY ('... a certain option is used with a special value').

DISCLAIMER (before Alan slaps me :): I'm in no way better
           my self - I'm lousy in reading documentation.
           I only read a little here and a little there,
           but I (almost) always understand the parts that
           I DO read :)

More information about the Freeradius-Users mailing list