Resolution (was: Re: "WARNING: !! EAP session for state ... did not finish!", And Other Warnings)

Alan DeKok aland at deployingradius.com
Wed Oct 7 16:34:36 CEST 2015 

On Oct 7, 2015, at 10:13 AM, Jim Seymour <jseymour at LinxNet.com> wrote:
> I tried everything recommended here, including wiping everything out
> and reinstalling from scratch.  Two or three times.  And including using
> all the "official" docs, guides and directions I could find.
> 
>    Side note: Attempting to use the certs created by the FreeRADIUS
>    Makefile would not allow OpenLDAP to run.

  What does that mean?

> Nor could I persuade
>    "openssl verify ..." to validate the certificate chain, no matter
>    what I did.

  What errors did you get?  What did you do?

  There is some magic here.. SSL magic.  But the scripts and Makefile rules in raddb/certs *work*.

> Altering /etc/ssl/openssl.cnf to include the appropriate attributes and
> using CA.pl with -newca/-newcert-nodes/-sign produced certificates
> indistinguishable from those produced by the FreeRADIUS certs Makefile
> (examining them with "openssl x509 -noout -text -in <file>"), except
> both OpenLDAP and "openssl verify ..." were happy with those certs.

  What does that mean?

  You're describing problems in vague ways.  WHAT went wrong?  WHY would the certificates not verify?

  The only thing I can think of is that you're using version 1... and the default SSL configuration there is to use deprecated hashing functions.  Which newer code will refuse to use as insecure.

  The solution is to use a version of FreeRADIUS which was released in the last 5 years.

> 1.1.1 has been working on the server being replaced, so I downloaded
> source tarballs of everything from 1.1.1 thru 1.1.8 (the link for 1.1.8
> on the download page is broken, btw), and started building,

  I've fixed that link.

  But... if you're using version 1, you will get *zero* support from this list.  That version is old, unsupported, and there are no good reasons to use it.

  Install version 2.2.9, and go from there.

> I don't understand why I've been unable to get 2.x.x going, but I've
> beat my head against it long enough.  There's a boat-load of other
> stuff to install, configure and test on this server, and a ton of
> projects backed-up behind this project.  I must move on, so 1.1.8 is
> what we'll be using.
> 
> Thanks, everybody, for your kind and patient assistance!

  You should really use 2.2.9.  If it doesn't work, explain what's going wrong, and we can help you.

  1.1.8 is the entirely wrong choice.

  Alan DeKok.

More information about the Freeradius-Users mailing list