Quoting "Rakesh Jha" <rakesh@burgan.com>: I'm far from an expert in FreeRADIUS (so take what I say with a grane of salt), but I instantly noticed this.
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap_tls: Unable to open DH file - (null) rlm_eap: Failed to initialize type tls
It can't open the 'DH file' (don't quite know which one that is), but I would assume that it's some (or maybe all?) of the first three files. Do they exist? Does the freeradius daemon have the right to _read_ those files (are you running the daemon under some user _not_ root). I run (default in Debian GNU/Linux) the daemon under the 'freerad' user so this user must be able to read the files mentioned (AND have the right to access all directory paths before it). Also, the 'check_cert_cn' is empty. If you don't use it, uncomment it in the config file. probably goes for the options 'check_cert_cn' and 'check_cert_issuer' to. I DO use them, and my eap.conf file looks like this: ----- s n i p ----- celia:~# egrep 'check_cert_issuer|check_cert_cn|cipher_list' /etc/freeradius/eap.conf check_cert_issuer = "<see below>" check_cert_cn = %{User-Name} cipher_list = "DEFAULT" ----- s n i p ----- The 'check_cert_issuer' value is a little personal (something I wouldn't want to post to the 'Net) but is the value found in the 'subject' line when running the command: openssl x509 -subject -noout -in <cacert> ----- s n i p ----- celia:~# openssl x509 -subject -noout -in /etc/ssl/CA/cacert.pem subject= <secret> ----- s n i p -----
radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1962] Unknown module "eap". radiusd.conf[1909] Failed to parse authenticate section.
These will probably go away once you have fixed the tls parts above...
As you have written 'as are most "helpful" pages not on freeradius.org', can you please suggest some links which guide correctly to configure radius, openssl and active directory.
I think Alan is a little 'judgmental' (wrong choice, but I can't quite get the exact translation of what I meant) if here. I would to if (since!) people don't think for them self and only follow external 'documentation' by the letter without trying to actually understand what it means... Following ANY documentation require UNDERSTANDING! Not HOW, but WHY ('... a certain option is used with a special value'). DISCLAIMER (before Alan slaps me :): I'm in no way better my self - I'm lousy in reading documentation. I only read a little here and a little there, but I (almost) always understand the parts that I DO read :)