a question about settings for EAP-TLS authentication
Hi, All, I am a graduate student in University of Massachusetts Amherst. Now I am trying to set up a wireless environment with FreeRadius to realize secured access with EAP-TLS. I've generated the necessary CA files by openssl and done all necessary settings in FreeRadius. For more detailed operations and settings, please refer to the list below. Operations and Settings on openssl and freeradius, 1, installed openssl-0.9.7-stable-SNAP-20060731, which is downloaded from www.openssl.org. 2, completed the necessary settings in openssl, which is locaed in /usr/local/openssl/ssl. 3, installed freeradius-1.1.0, which is download from www.freeradius.org. 4, modified some settings in CA.all, which is located in /usr/src/802/radius/freeradius-1.1.0/scripts, and run it to generated the CA certificates for server, client as well as root. 5, added a NAS entry in clients.conf. 6, added a user entry in users. 7, started the radius server with the command "./radiusd -X" normally. 8, with default settings in radius.conf, star freeradius successfully, and it can accept the authentication-request from Windows XP client and return the authentication-accept message. This authentication request should belong to EAP-MD5, and the radius server could respond it correctly by default-settings. ---- the operations below are for realization of EAP-TLS ---- 9, copied the newly generated certificates files to the place so that the freeradius could find them. In my case, I moved them to /usr/local/radius/etc/raddb/certs as well as its subfolder /demoCA. 10, added a new user entry in users, which includes only the username attribute because it is said that EAP-TLS would automatically identify its password and other attributes from somewhere. 11, modified the default auth type to 'tls' in eap.conf. 12, uncommented all scripts related to EAP-TLS authentication in eap.conf, including modification of path to the certificate files in /usr/local/radius/etc/raddb/certs as well as ./demoCA. 13, tried to start the radius server with the command "./radiusd -X", but the error message below was returned always. **** log from terminal of linux where freeradius is running **** rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/radius/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/radius/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/radius/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/radius/etc/raddb/certs/dh" tls: random_file = "/usr/local/radius/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "%{User-Name}" rlm_eap_tls: Loading the certificate file as a chain Segmentation fault **** the end of log **** Now I worried that there is something wrong in the cert-srv.pem. I will appreciate all of you so much if anyone can help me take a look at these certificate files. I attached all of configuration files in the freeradius folder. Please refer to them if needed. Looking forward to your reply. Thanks a lot, Best wishes, Yan
On 8/7/06, Yan Cai <ycai@tennis.ecs.umass.edu> wrote:
tls: check_cert_cn = "%{User-Name}"
rlm_eap_tls: Loading the certificate file as a chain
Segmentation fault
Hi, hm, would you care to check if (from your eap.conf) dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random are accessible? It's just a quick shot, I could only check against 1.1.2 which stops with some intelligible message when one or the the other is missing at this stage. Otherwise a backtrace might be helpful. HTH K. Hoercher
Hi, Thanks for your reply. I will appreciate you very much if you could tell me how to verify their accessibility. I am sure they exist in the corresponding folders. Thanks a lot. Best wishes, Yan -----Original Message----- From: freeradius-users-bounces+ycai=tennis.ecs.umass.edu@lists.freeradius.org [mailto:freeradius-users-bounces+ycai=tennis.ecs.umass.edu@lists.freeradius. org] On Behalf Of K. Hoercher Sent: Monday, August 07, 2006 1:55 PM To: FreeRadius users mailing list Subject: Re: a question about settings for EAP-TLS authentication On 8/7/06, Yan Cai <ycai@tennis.ecs.umass.edu> wrote:
tls: check_cert_cn = "%{User-Name}"
rlm_eap_tls: Loading the certificate file as a chain
Segmentation fault
Hi, hm, would you care to check if (from your eap.conf) dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random are accessible? It's just a quick shot, I could only check against 1.1.2 which stops with some intelligible message when one or the the other is missing at this stage. Otherwise a backtrace might be helpful. HTH K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1, installed openssl-0.9.7-stable-SNAP-20060731, which is downloaded from www.openssl.org.
2, completed the necessary settings in openssl, which is locaed in /usr/local/openssl/ssl.
rlm_eap_tls: Loading the certificate file as a chain
Segmentation fault
Seg Fault humm... I usually get this error is when I install a dedicated openssl library in /usr/local and have my base system use another bundled openssl library ! Do you need to manually install openssl or can you just update the openssl package from you distro ? Have you taken special care about he openssl libraries used during freeradius compilation/linking ? Can you try playing with the LD_RUN_PATH environment variable in order to make sure the dynamic linker is using the openssl library used at Freeradius build phase ? Thibault
participants (3)
-
K. Hoercher -
Thibault Le Meur -
Yan Cai