Hi, I m running freeRADIUS 1.1.2. Trying to run it for PEAP authentication and made few changes in radiusd.conf,eap.conf & users files in /usr/local/etc/raddb/ directory. on running freeradius in debugging mode by typing "radiusd -x" on command prompt it gives this output: [root@localhost ~]# radiusd -x Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap_tls: Loading the certificate file as a chain rlm_eap: SSL error error:0200100E:system library:fopen:Bad address rlm_eap_tls: Error reading certificate file rlm_eap: Failed to initialize type tls radiusd.conf [10]: eap: Module instantiation failed. radiusd.conf[1920] Unknown module "eap". radiusd.conf[1867] Failed to parse authenticate section. I am attaching radiusd.conf,clients.conf,eap.conf and users files here. Plz tell me also how to mention network in clients.conf. Do i need to install openssl before running freeradius server? I m pasting my files below here: xxxxxxxxxxxx radiusd.conf xxxxxxxxxxxx ## radiusd.conf -- FreeRADIUS server configuration file. prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid #user = nobody #group = nobody # max_request_time: The maximum time (in seconds) to handle a request. # # Useful range of values: 5 to 120 # max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad # SECURITY CONFIGURATION security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf # CLIENTS CONFIGURATION $INCLUDE ${confdir}/clients.conf # SNMP CONFIGURATION snmp = no $INCLUDE ${confdir}/snmp.conf # THREAD POOL CONFIGURATION thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } # MODULE CONFIGURATION modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } # Extensible Authentication Protocol $INCLUDE ${confdir}/eap.conf # Microsoft CHAP authentication mschap { authtype = MS-CHAP #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } # Lightweight Directory Access Protocol (LDAP) ldap { server = "ldap.your.domain" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 } #} #} realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } # 'username@realm' # realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } # 'username%realm' # realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } # # 'domain\user' # realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } # checkval { # The attribute to look for in the request item-name = Calling-Station-Id # The attribute to look for in check items. Can be multi valued check-name = Calling-Station-Id data-type = string } #} preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no # H323-Attribute = "value" with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 #suppress { # User-Password #} } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp # # You may want instead: %{Stripped-User-Name:-%{User-Name}} username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { # allowed values: {no, yes} wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } # Instantiation instantiate { exec expr } authorize { preprocess chap mschap suffix eap files } # Authentication. authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix # } eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp } session { radutmp } post-auth { # } } pre-proxy { } post-proxy { eap } xxxxxxxxxxxxxxradiusd.conf ends here xxxxxxxxxxxxxxxxx xxxxxxxxxxxxxx eap.conf xxxxxxxxxxxxx ap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh # random_file = ${raddbdir}/certs/random # fragment_size = 1024 # include_length = yes # check_crl = yes # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" # check_cert_cn = %{User-Name} # } peap { default_eap_type = mschapv2 } mschapv2 { } } xxxxxxxxxxxxxxxxx eap.conf ends here xxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxx clients.conf xxxxxxxxxxx # # clients.conf - client configuration directives client 127.0.0.1 { secret = testing123 shortname = localhost nastype = other # localhost isn't usually a NAS... } #client 192.168.0.0/24 { # secret = testing123-1 # shortname = private-network-1 #} # #client 192.168.0.0/16 { # secret = testing123-2 # shortname = private-network-2 #} xxxxxxxxxxxxxxx clients.conf ends here xxxxxxxxxxxxxxxx xxxxxxxxx users xxxxxxxxx "testuser" User-Password == "testing" Reply-Message = "Hello, %u" DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP xxxxxxxxxx users file ends here xxxxxxxxxxxxxxxxx can anybody suggest me how to make it work(what modifications i need to do) -- Regards Pradeep Singh
On Wednesday 05 July 2006 08:48, Pradeep Sengar wrote:
rlm_eap_tls: Loading the certificate file as a chain rlm_eap: SSL error error:0200100E:system library:fopen:Bad address rlm_eap_tls: Error reading certificate file rlm_eap: Failed to initialize type tls
Did you create any certificates? Are they stored where you indicate in eap.conf? Do they have the proper permissions? Zoltan Ori
Generate certificates and then Configure eap.conf, it'll work. Regards. sukhvinder --- Pradeep Sengar <pradeep.sengar@gmail.com> wrote:
Hi, I m running freeRADIUS 1.1.2. Trying to run it for PEAP authentication and made few changes in radiusd.conf,eap.conf & users files in /usr/local/etc/raddb/ directory. on running freeradius in debugging mode by typing "radiusd -x" on command prompt it gives this output:
[root@localhost ~]# radiusd -x Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap_tls: Loading the certificate file as a chain rlm_eap: SSL error error:0200100E:system library:fopen:Bad address rlm_eap_tls: Error reading certificate file rlm_eap: Failed to initialize type tls radiusd.conf [10]: eap: Module instantiation failed. radiusd.conf[1920] Unknown module "eap". radiusd.conf[1867] Failed to parse authenticate section.
I am attaching radiusd.conf,clients.conf,eap.conf and users files here. Plz tell me also how to mention network in clients.conf. Do i need to install openssl before running freeradius server?
I m pasting my files below here: xxxxxxxxxxxx radiusd.conf xxxxxxxxxxxx ## radiusd.conf -- FreeRADIUS server configuration file.
prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct
# Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
#user = nobody #group = nobody
# max_request_time: The maximum time (in seconds) to handle a request. #
# Useful range of values: 5 to 120 # max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no log_auth_goodpass = no
usercollide = no
lower_user = no lower_pass = no
nospace_user = no nospace_pass = no
# The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad
# SECURITY CONFIGURATION
security {
max_attributes = 200
reject_delay = 1
status_server = no }
proxy_requests = yes $INCLUDE ${confdir}/proxy.conf
# CLIENTS CONFIGURATION
$INCLUDE ${confdir}/clients.conf
# SNMP CONFIGURATION
snmp = no $INCLUDE ${confdir}/snmp.conf
# THREAD POOL CONFIGURATION
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3 max_spare_servers = 10
max_requests_per_server = 0 }
# MODULE CONFIGURATION
modules {
pap { encryption_scheme = crypt }
=== message truncated ===> -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________________________________________________________ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/
participants (3)
-
Pradeep Sengar -
sukhvinder kumar -
Zoltan Ori