<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Sorry, forgot the debug output as well..<br><br>[root@lasamiq3 raddb]# radiusd -X<br>Starting - reading configuration files ...<br>reread_config: reading radiusd.conf<br>Config: including file: /etc/raddb/proxy.conf<br>Config: including file: /etc/raddb/clients.conf<br>Config: including file: /etc/raddb/snmp.conf<br>Config: including file: /etc/raddb/eap.conf<br> main: prefix = "/usr"<br> main: localstatedir = "/var"<br> main: logdir = "/var/log/radius"<br> main: libdir = "/usr/lib64"<br> main: radacctdir = "/var/log/radius/radacct"<br> main: hostname_lookups = no<br> main: snmp = no<br> main: max_request_time = 30<br> main: cleanup_delay = 5<br> main: max_requests = 1024<br> main: delete_blocked_requests = 0<br> main: port = 0<br> main: allow_core_dumps = no<br> main: log_stripped_names = no<br> main: log_file = "/var/log/radius/radius.log"<br> main: log_auth = no<br> main: log_auth_badpass = no<br> main: log_auth_goodpass = no<br> main: pidfile = "/var/run/radiusd/radiusd.pid"<br> main: user = "radiusd"<br> main: group = "radiusd"<br> main: usercollide = no<br> main: lower_user = "no"<br> main: lower_pass = "no"<br> main: nospace_user = "no"<br> main: nospace_pass = "no"<br> main: checkrad = "/usr/sbin/checkrad"<br> main: proxy_requests = yes<br> proxy: retry_delay = 5<br> proxy: retry_count = 3<br> proxy: synchronous = no<br> proxy: default_fallback = yes<br> proxy: dead_time = 120<br> proxy: post_proxy_authorize = no<br> proxy: wake_all_if_all_dead = no<br> security: max_attributes = 200<br> security: reject_delay = 1<br> security: status_server = no<br> main: debug_level = 0<br>read_config_files: reading dictionary<br>read_config_files: reading naslist<br>Using deprecated naslist file. Support for this will go away soon.<br>read_config_files: reading clients<br>read_config_files: reading realms<br>radiusd: entering modules setup<br>Module: Library search path is /usr/lib64<br>Module: Loaded exec <br> exec: wait = yes<br> exec: program = "(null)"<br> exec: input_pairs = "request"<br> exec: output_pairs = "(null)"<br> exec: packet_type = "(null)"<br>rlm_exec: Wait=yes but no output defined. Did you mean output=none?<br>Module: Instantiated exec (exec) <br>Module: Loaded expr <br>Module: Instantiated expr (expr) <br>Module: Loaded PAP <br> pap: encryption_scheme = "crypt"<br>Module: Instantiated pap (pap) <br>Module: Loaded CHAP <br>Module: Instantiated chap (chap) <br>Module: Loaded MS-CHAP <br> mschap: use_mppe = yes<br> mschap: require_encryption = no<br> mschap: require_strong = no<br> mschap: with_ntdomain_hack = no<br> mschap: passwd = "(null)"<br> mschap: ntlm_auth = "(null)"<br>Module: Instantiated mschap (mschap) <br>Module: Loaded System <br> unix: cache = no<br> unix: passwd = "(null)"<br> unix: shadow = "/etc/shadow"<br> unix: group = "(null)"<br> unix: radwtmp = "/var/log/radius/radwtmp"<br> unix: usegroup = no<br> unix: cache_reload = 600<br>Module: Instantiated unix (unix) <br>Module: Loaded eap <br> eap: default_eap_type = "tls"<br> eap: timer_expire = 60<br> eap: ignore_unknown_eap_types = no<br> eap: cisco_accounting_username_bug = no<br>rlm_eap: Loaded and initialized type md5<br>rlm_eap: Loaded and initialized type leap<br> gtc: challenge = "Password: "<br> gtc: auth_type = "PAP"<br>rlm_eap: Loaded and initialized type gtc<br> tls: rsa_key_exchange = no<br> tls: dh_key_exchange = yes<br> tls: rsa_key_length = 512<br> tls: dh_key_length = 512<br> tls: verify_depth = 0<br> tls: CA_path = "(null)"<br> tls: pem_file_type = yes<br> tls: private_key_file = "/etc/raddb/certs/radius-priv-key.pem"<br> tls: certificate_file = "/etc/raddb/certs/radius-priv-cert.pem"<br> tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem"<br> tls: private_key_password = "mercury"<br> tls: dh_file = "/etc/raddb/certs/dh"<br> tls: random_file = "/etc/raddb/certs/random"<br> tls: fragment_size = 1024<br> tls: include_length = yes<br> tls: check_crl = no<br> tls: check_cert_cn = "(null)"<br> tls: cipher_list = "(null)"<br> tls: check_cert_issuer = "(null)"<br>rlm_eap_tls: Loading the certificate file as a chain<br>rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied<br>rlm_eap_tls: Error reading certificate file<br>rlm_eap: Failed to initialize type tls<br>radiusd.conf[10]: eap: Module instantiation failed. <br>radiusd.conf[1940] Unknown module "eap".<br>radiusd.conf[1887] Failed to parse authenticate section. <br><br><div>> Date: Thu, 6 Nov 2014 09:08:20 -0500<br>> From: aland@deployingradius.com<br>> To: freeradius-users@lists.freeradius.org<br>> Subject: Re: EAP-TLS not initializing<br>> <br>> Ben Tucker wrote:<br>> > Not a very affluent Linux user here but this issue is beyond me. I<br>> > think its something simple to solve but can't figure it out for the life<br>> > of me. When running radius in debug mode it is giving me a permission<br>> > denied message when trying to load the certificates. The certs are<br>> > there in the correct directory. What else am I missing here?<br>> <br>> The permissions are wrong.<br>> <br>> For one, you're using version 1. Don't. Upgrade to 2.2.5.<br>> <br>> > [root@lasamiq3 raddb]# dir -l certs<br>> > total 64<br>> > -rw-r--rwx 1 root radiusd 721 Dec 4 2009 cert-clt.der<br>> <br>> Uh... you do realize that's bad, right?<br>> <br>> The files should NOT be readable and writable by everyone on the<br>> system. They should NOT be executable.<br>> <br>> You went out of your way to break the server. Don't do that. The<br>> default permissions are correct.<br>> <br>> You need to do the following as root:<br>> <br>> cd /etc/raddb<br>> chmod -R -x .<br>> chmod -R o-rw .<br>> <br>> And don't break the server. It causes problems.<br>> -<br>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<br></div> </div></body>
</html>