RE: Freeradius+Active directory - router login authentciation
Alan, Please see the complete output of radiusd -X as following - Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D omain:-burgan_dom} --username=%{mschap:User-Name:-None} --challenge=%{mschap:Cha llenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "(null)" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap_tls: Unable to open DH file - (null) rlm_eap: Failed to initialize type tls radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1962] Unknown module "eap". radiusd.conf[1909] Failed to parse authenticate section. As you have written 'as are most "helpful" pages not on freeradius.org', can you please suggest some links which guide correctly to configure radius, openssl and active directory. Thanks a lot, Rakesh Jha -----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, September 10, 2007 8:35 AM To: FreeRadius users mailing list Subject: Re: Freeradius+Active directory - router login authentciation Rakesh Jha wrote: ...
After following FreeRADIUS Tutorial for AD integration I am not able to start radius daemon as it complains -
radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1962] Unknown module "eap". radiusd.conf[1909] Failed to parse authenticate section.
I'm at a bit of a loss for why so many people are so insistent on removing all useful messages. Attention: Any non-official business related views, opinions and other information presented in this electronic mail are solely those of the sender/author. Burgan Bank does not endorse or accept responsibility for their opinions. If you are not the addressed indicated in this mail or responsible for delivering this message to the intended, you should delete this message and notify the sender immediately. ------------------------------------------------------- Burgan Bank S.A.K www.burgan.com
Quoting "Rakesh Jha" <rakesh@burgan.com>: I'm far from an expert in FreeRADIUS (so take what I say with a grane of salt), but I instantly noticed this.
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap_tls: Unable to open DH file - (null) rlm_eap: Failed to initialize type tls
It can't open the 'DH file' (don't quite know which one that is), but I would assume that it's some (or maybe all?) of the first three files. Do they exist? Does the freeradius daemon have the right to _read_ those files (are you running the daemon under some user _not_ root). I run (default in Debian GNU/Linux) the daemon under the 'freerad' user so this user must be able to read the files mentioned (AND have the right to access all directory paths before it). Also, the 'check_cert_cn' is empty. If you don't use it, uncomment it in the config file. probably goes for the options 'check_cert_cn' and 'check_cert_issuer' to. I DO use them, and my eap.conf file looks like this: ----- s n i p ----- celia:~# egrep 'check_cert_issuer|check_cert_cn|cipher_list' /etc/freeradius/eap.conf check_cert_issuer = "<see below>" check_cert_cn = %{User-Name} cipher_list = "DEFAULT" ----- s n i p ----- The 'check_cert_issuer' value is a little personal (something I wouldn't want to post to the 'Net) but is the value found in the 'subject' line when running the command: openssl x509 -subject -noout -in <cacert> ----- s n i p ----- celia:~# openssl x509 -subject -noout -in /etc/ssl/CA/cacert.pem subject= <secret> ----- s n i p -----
radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1962] Unknown module "eap". radiusd.conf[1909] Failed to parse authenticate section.
These will probably go away once you have fixed the tls parts above...
As you have written 'as are most "helpful" pages not on freeradius.org', can you please suggest some links which guide correctly to configure radius, openssl and active directory.
I think Alan is a little 'judgmental' (wrong choice, but I can't quite get the exact translation of what I meant) if here. I would to if (since!) people don't think for them self and only follow external 'documentation' by the letter without trying to actually understand what it means... Following ANY documentation require UNDERSTANDING! Not HOW, but WHY ('... a certain option is used with a special value'). DISCLAIMER (before Alan slaps me :): I'm in no way better my self - I'm lousy in reading documentation. I only read a little here and a little there, but I (almost) always understand the parts that I DO read :)
Turbo Fredriksson wrote:
It can't open the 'DH file' (don't quite know which one that is),
Exactly. And in 1.1.7, both the debug mode and the documentation in eap.conf talk about this *exact* issue.
I think Alan is a little 'judgmental' (wrong choice, but I can't quite get the exact translation of what I meant) if here. I would to if (since!) people don't think for them self and only follow external 'documentation' by the letter without trying to actually understand what it means...
"Tired", not "judgmental". The people asking for the documentation to be spoon fed to them show up on this list. The people who read the documentation and get things done don't show up here.
DISCLAIMER (before Alan slaps me :): I'm in no way better my self - I'm lousy in reading documentation. I only read a little here and a little there, but I (almost) always understand the parts that I DO read :)
Thinking is often a good substitute for documentation. Alan DeKok.
Hi,
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap_tls: Unable to open DH file - (null) rlm_eap: Failed to initialize type tls
It can't open the 'DH file' (don't quite know which one that is), but I would assume that it's some (or maybe all?) of the first three files. Do they exist? Does the freeradius daemon have the
err, the DH file is the DH file - the Diffie-Hellman file eg # # For DH cipher suites to work, you have to # run OpenSSL to create the DH file first: # # openssl dhparam -out certs/dh 1024 # dh_file = ${certdir}/dh random_file = ${certdir}/random as per the eap.conf file - i'm assuming that file hasnt been edited and sliced and diced beyond use? alan
Hi, Appreciate to any help or advice. I using Java (My system is java) invoke FreeRadius to Authenticate. The diagram.JPG (attached file) is my system diagram. System Function: When user1 login, radius return module1. When user2 login, radius return module2 (User1 only can access module1,user2 only can access module2). My step: 1. Put dictionary file "dictionary.prosoft" to /usr/share/freeradius. And put its path to dictionary. And configured the relationship of module and user. 2. I use a kind of radius client named "TinyRadius". Problems: At the client of TinyRadius, TestClient.java (attached file) how to get the module name (such as module1, module2) using TinyRadius API? The current java code(TestClient.java) get nothing about module. And I don't know how to get module info(configured in dictionary) ? Please help me ,thank you very much!
yangcuilin wrote:
Problems: At the client of TinyRadius, TestClient.java (attached file) how to get the module name (such as module1, module2) using TinyRadius API? The current java code(TestClient.java) get nothing about module. And I don't know how to get module info(configured in dictionary) ?
This is not a FreeRADIUS issue. Go ask the Tinyradius people. Alan DeKok.
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Rakesh Jha -
Turbo Fredriksson -
yangcuilin