radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol

Peter Param pparam at stvincents.com.au
Wed Mar 11 06:10:53 CET 2009


This is a new installation using openssl0.98j  and freeradius 2.1.3.

I get this error when running in debug mode:  radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol: SSL_CTX_set_info_callback

prior to running in debug mode,  I ran ./bootstrap under freeradius/certs directory.  The output:

radius02:/etc/freeradius/certs# ./bootstrap
openssl dhparam -out dh 1024
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
........................................................................................................................................................................................................................+.........................+..............+................+....+.......+................................................+.....................................................................++*++*++*
openssl req -new  -out server.csr -keyout server.key -config ./server.cnf
Generating a 2048 bit RSA private key
..........+++
.......+++
writing new private key to 'server.key'
-----
openssl req -new -x509 -keyout ca.key -out ca.pem \
                -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf
Generating a 2048 bit RSA private key
.......+++
..................................................................................................................................+++
writing new private key to 'ca.key'
-----
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
Using configuration from ./server.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 11 04:59:02 2009 GMT
            Not After : Mar 11 04:59:02 2010 GMT
        Subject:
            countryName               = FR
            stateOrProvinceName       = Radius
            organizationName          = Example Inc.
            commonName                = Example Server Certificate
            emailAddress              = admin at example.com 
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
Certificate is to be certified until Mar 11 04:59:02 2010 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
MAC verified OK
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der




radiusd -X output:

FreeRADIUS Version 2.1.3, for host i686-pc-linux-gnu, built on Mar 11 2009 at 14:14:37
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/roles_search
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/patient_search
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/people_search
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/svmhsradius02.stvincents.com.au
including configuration file /etc/freeradius/sites-available/default
including dictionary file /etc/freeradius/dictionary
main {
        prefix = "/etc"
        localstatedir = "/var"
        logdir = "/var/log/radius"
        libdir = "/usr/lib/freeradius"
        radacctdir = "/var/log/freeradius/radacct"
        hostname_lookups = no
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 1024
        allow_core_dumps = no
        pidfile = "/var/run/freeradius/freeradius.pid"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 0
        proxy_requests = no
 log {
        stripped_names = no
        auth = no
        auth_badpass = no
        auth_goodpass = no
 }
 security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
 }
}
 client 127.0.0.1 {
        require_message_authenticator = no
        secret = "testing123"
        shortname = "localhost"
        nastype = "other"
 }
 client 10.56.13.161 {
        require_message_authenticator = no
        secret = "itscadmin"
        shortname = "svhxvr01acs01"
        nastype = "cisco"
 }
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 }
radiusd: #### Loading Virtual Servers ####
server virtual.example.com {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
        use_mppe = yes
        require_encryption = no
        require_strong = no
        with_ntdomain_hack = no
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
        default_eap_type = "md5"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
        challenge = "Password: "
        auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        pem_file_type = yes
        private_key_file = "/etc/freeradius/certs/server.pem"
        certificate_file = "/etc/freeradius/certs/server.pem"
        CA_file = "/etc/freeradius/certs/ca.pem"
        private_key_password = "whatever"
        dh_file = "/etc/freeradius/certs/dh"
        random_file = "/dev/urandom"
        fragment_size = 1024
        include_length = yes
        check_crl = no
        cipher_list = "DEFAULT"
        make_cert_command = "/etc/freeradius/certs/bootstrap"
    cache {
        enable = no
        lifetime = 24
        max_entries = 255
    }
   }
radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol: SSL_CTX_set_info_callback


—--------------------------------------------------------------------------------------------------------------------------

** other configuration files...

eap.conf:

# -*- text -*-
##
##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
##      $Id$

#######################################################################
#
#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server
#  is smart enough to figure this out on its own.  The most
#  common side effect of setting 'Auth-Type := EAP' is that the
#  users then cannot use ANY other authentication method.
#
#
        eap {
                default_eap_type = md5
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                max_sessions = 2048

                # Supported EAP-types
                #
                #  We do NOT recommend using EAP-MD5 authentication
                #  for wireless connections.  It is insecure, and does
                #  not provide for dynamic WEP keys.
                #
                md5 {
                }

                # Cisco LEAP
                #
                #  We do not recommend using LEAP in new deployments.  See:
                #  http://www.securiteam.com/tools/5TP012ACKE.html 
                #
                leap {
                }

                #  Proxying the tunneled EAP-GTC session is a bad idea,
                #  the users password will go over the wire in plain-text,
                #  for anyone to see.
                #
                gtc {
                        auth_type = PAP
                }

                ## EAP-TLS
                #
                #  If OpenSSL was not found at the time the server was
                #  built, the "tls", "ttls", and "peap" sections will
                #  be ignored.
                #
                #
                tls {
                        certdir = ${confdir}/certs
                        cadir = ${confdir}/certs

                        private_key_password = whatever
                        private_key_file = ${certdir}/server.pem

                        certificate_file = ${certdir}/server.pem
                        CA_file = ${cadir}/ca.pem

                        dh_file = ${certdir}/dh
                #       random_file = ${certdir}/random
                        random_file = /dev/urandom
                #       fragment_size = 1024
                #       include_length = yes
                #       check_crl = yes
                #       CA_path = /path/to/directory/with/ca_certs/and/crls/
                #       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
                #       check_cert_cn = %{User-Name}
                #
                        cipher_list = "DEFAULT"
                        make_cert_command = "${certdir}/bootstrap"
                        cache {
                              enable = no
                              lifetime = 24 # hours
                              max_entries = 255
                        }
                }

                #  The TTLS module implements the EAP-TTLS protocol,
                #  which can be described as EAP inside of Diameter,
                #  inside of TLS, inside of EAP, inside of RADIUS...
                #
                #  You can make TTLS require a client cert by setting
                #
                #       EAP-TLS-Require-Client-Cert = Yes
                #
                #  in the control items for a request.
                #
                ttls {
                        default_eap_type = md5
                        copy_request_to_tunnel = no
                        use_tunneled_reply = no
                        virtual_server = "inner-tunnel"
                }

                ##################################################
                #
                #  !!!!! WARNINGS for Windows compatibility  !!!!!
                #
                ##################################################
                #
                #  If you see the server send an Access-Challenge,
                #  and the client never sends another Access-Request,
                #  then
                #
                #               STOP!
                #
                #  The server certificate has to have special OID's
                #  in it, or else the Microsoft clients will silently
                #  fail.  See the "scripts/xpextensions" file for
                #  details, and the following page:
                #
                #       http://support.microsoft.com/kb/814394/en-us 
                #
                #  For additional Windows XP SP2 issues, see:
                #
                #       http://support.microsoft.com/kb/885453/en-us 
                #
                #  Note that we do not necessarily agree with their
                #  explanation... but the fix does appear to work.
                #
                ##################################################

                #  You can make PEAP require a client cert by setting
                #
                #       EAP-TLS-Require-Client-Cert = Yes
                #
                #  in the control items for a request.
                #
                peap {
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = no
                        use_tunneled_reply = no
                #       proxy_tunneled_request_as_eap = yes
                        virtual_server = "inner-tunnel"
                }

                #  Note also that in order for this sub-module to work,
                #  the main 'mschap' module MUST ALSO be configured.
                #
                mschapv2 {
                }
        }

sites-enabled/default:

######################################################################
#
#       As of 2.0.0, FreeRADIUS supports virtual hosts using the
#       "server" section, and configuration directives.
#
#       Virtual hosts should be put into the "sites-available"
#       directory.  Soft links should be created in the "sites-enabled"
#       directory to these files.  This is done in a normal installation.
#
#       $Id$
#
######################################################################
#
#       Read "man radiusd" before editing this file.  See the section
#       titled DEBUGGING.  It outlines a method where you can quickly
#       obtain the configuration you want, without running into
#       trouble.  See also "man unlang", which documents the format
#       of this file.
#
######################################################################

authorize {
        preprocess
#       auth_log
        chap
        mschap
        suffix
#       ntdomain
        eap {
                ok = return
        }
#       unix
        files
        roles_search
        people_search
        patient_search
#       daily
#       checkval
#       expiration
#       logintime
#       pap
#       Autz-Type Status-Server {
#
#       }
}


#  Authentication.
#
authenticate {
#       Auth-Type PAP {
#               pap
#       }

        Auth-Type CHAP {
                chap
        }

        Auth-Type MS-CHAP {
                mschap
        }

#       Auth-Type LDAP {
#               ldap
#       }

        eap
}


#
#  Pre-accounting.  Decide which accounting type to use.
#
preacct {
        preprocess
        acct_unique
#       IPASS
        suffix
#       ntdomain
        files
}

#
#  Accounting.  Log the accounting data.
#
accounting {
#       preprocess
        detail
#       daily
        unix
        radutmp
#       sradutmp
#       main_pool
#       pgsql-voip
#       attr_filter.accounting_response
#       Acct-Type Status-Server {
#
#       }
}

session {
        radutmp
}


#  Post-Authentication
post-auth {
#       main_pool
#       reply_log
#       sql
#       sql_log
#       ldap
#       exec
#       Post-Auth-Type REJECT {
#               attr_filter.access_reject
#       }
}

pre-proxy {
#       attr_rewrite
#       files
#       attr_filter.pre-proxy
#       pre_proxy_log
}

post-proxy {
#       post_proxy_log
#       attr_rewrite
#       attr_filter.post-proxy
#       eap
#       Post-Proxy-Type Fail {
#                       detail
#       }

}



cheers

Peter


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been virus
scanned and although no viruses were detected by the system, St Vincents &
Mater Health Sydney accepts no liability for any consequential damage
resulting from email containing any computer viruses.

**********************************************************************





More information about the Freeradius-Users mailing list