On Wed 25 Apr 2007, Alan DeKok wrote:
I had an idea on the way home last night. It's now implemented, and it's pretty cool.
In eap.conf, the tls, ttls, and peap sections are now enabled in the default install.
The EAP module ignores them if OpenSSL wasn't found during the build.
The tls module now has a configuration entry "make_cert_command".
raddb/certs/bootstrap is a shell script that runs "make".
On initial boot in debugging mode after "make install", the server loads the tls module (if OpenSSL was found). The TLS module sees that there's a "make_cert_command", and it's in debugging mode, and no server certificate exists.
It then runs the "make_cert_command" to create the certificates, and continues with its normal startup.
This means that all of the annoying fighting with stupid certificates to get EAP-TLS to work is *gone*. Just install OpenSSL, install the server, and start the server. EAP-TLS, TTLS, and PEAP will Just Work.
This makes me happy. It should make the server MUCH easier to deploy.
This is all cool, except my rpms no longer work by default :-D A new install on a clean server of last night's snapshot rpm gives the following on first start: Tue May 8 14:31:08 2007 : Info: FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu, built on May 8 2007 at 11:17:58 Tue May 8 14:31:08 2007 : Info: Starting - reading configuration files ... Tue May 8 14:31:08 2007 : Info: rlm_exec: wait=yes but no output defined. Did you mean output=none? Tue May 8 14:31:08 2007 : Info: rlm_eap_tls: Loading the certificate file as a chain Tue May 8 14:31:08 2007 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied Tue May 8 14:31:08 2007 : Error: rlm_eap_tls: Error reading certificate file /etc/raddb/certs/server.pem Tue May 8 14:31:08 2007 : Error: rlm_eap: Failed to initialize type tls Tue May 8 14:31:08 2007 : Error: radiusd.conf[10]: eap: Module instantiation failed. Tue May 8 14:31:08 2007 : Error: radiusd.conf[2129] Failed to find module "eap". Tue May 8 14:31:08 2007 : Error: radiusd.conf[2076] Failed to parse authenticate section. Tue May 8 14:31:08 2007 : Error: Errors setting up modules Note that radiusd does not have permission to write to /etc/raddb with the default install of my rpms, and in my opinion should not need to have permission: # ls -la /etc/raddb/certs total 33 drw-r----- 2 root radiusd 248 2007-05-08 14:28 . drwxr-xr-x 4 root root 816 2007-05-08 14:28 .. -rw-r----- 1 root radiusd 297 2007-05-08 11:18 bootstrap -rw-r----- 1 root radiusd 1155 2007-05-08 11:18 ca.cnf -rw-r----- 1 root radiusd 1109 2007-05-08 11:18 client.cnf -rw-r----- 1 root radiusd 4181 2007-05-08 11:18 Makefile -rw-r----- 1 root radiusd 4063 2007-05-08 11:18 README -rw-r----- 1 root radiusd 1123 2007-05-08 11:18 server.cnf -rw-r----- 1 root radiusd 514 2007-05-08 11:18 xpextensions Should I run "raddb/certs/bootstrap" during rpm build? On initial install? -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc