Not a very affluent Linux user here but this issue is beyond me. I think its something simple to solve but can't figure it out for the life of me. When running radius in debug mode it is giving me a permission denied message when trying to load the certificates. The certs are there in the correct directory. What else am I missing here? [root@lasamiq3 raddb]# radiusd -x Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap_tls: Loading the certificate file as a chain rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied rlm_eap_tls: Error reading certificate file rlm_eap: Failed to initialize type tls radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1940] Unknown module "eap". radiusd.conf[1887] Failed to parse authenticate section. [root@lasamiq3 raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib64" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib64 Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/radius-priv-key.pem" tls: certificate_file = "/etc/raddb/certs/radius-priv-cert.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "mercury" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied rlm_eap_tls: Error reading certificate file rlm_eap: Failed to initialize type tls radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1940] Unknown module "eap". radiusd.conf[1887] Failed to parse authenticate section. [root@lasamiq3 raddb]# [root@lasamiq3 raddb]# [root@lasamiq3 raddb]# [root@lasamiq3 raddb]# dir -l certs total 64 -rw-r--rwx 1 root radiusd 721 Dec 4 2009 cert-clt.der -rw-r--rwx 1 root radiusd 1741 Dec 4 2009 cert-clt.p12 -rw-r--rwx 1 root radiusd 2452 Dec 4 2009 cert-clt.pem -rw-r--rwx 1 root radiusd 717 Dec 4 2009 cert-srv.der -rw-r--rwx 1 root radiusd 1733 Dec 4 2009 cert-srv.p12 -rw-r--rwx 1 root radiusd 2439 Dec 4 2009 cert-srv.pem drw-r--rwx 2 root radiusd 4096 Nov 4 23:07 demoCA -rw-r--rwx 1 root radiusd 0 Dec 4 2009 dh -rw-r--rwx 1 root radiusd 2913 Dec 4 2009 newcert.pem -rw-r--rwx 1 root radiusd 1753 Dec 4 2009 newreq.pem -rwxr-xr-x 1 root root 3016 Nov 5 18:50 radius-srv-pri-cert.pem -rwxr-xr-x 1 root root 1606 Nov 5 16:59 radius-srv-pri-key.pem -rw-r--rwx 1 root radiusd 1024 Dec 4 2009 random -rw-r--rwx 1 root radiusd 431 Dec 4 2009 README -rw-r--rwx 1 root radiusd 954 Dec 4 2009 root.der -rw-r--rwx 1 root radiusd 1973 Dec 4 2009 root.p12 -rw-r--rwx 1 root radiusd 2764 Dec 4 2009 root.pem [root@lasamiq3 raddb]# dir -l certs/demoCA total 20 -rwxr-xr-x 1 root radiusd 1074 Nov 5 18:48 cacert.pem -rw-r--rwx 1 root radiusd 276 Dec 4 2009 index.txt -rw-r--rwx 1 root radiusd 140 Dec 4 2009 index.txt.old -rw-r--rwx 1 root radiusd 3 Dec 4 2009 serial -rw-r--rwx 1 root radiusd 3 Dec 4 2009 serial.old [root@lasamiq3 raddb]#
Ben Tucker wrote:
Not a very affluent Linux user here but this issue is beyond me. I think its something simple to solve but can't figure it out for the life of me. When running radius in debug mode it is giving me a permission denied message when trying to load the certificates. The certs are there in the correct directory. What else am I missing here?
The permissions are wrong. For one, you're using version 1. Don't. Upgrade to 2.2.5.
[root@lasamiq3 raddb]# dir -l certs total 64 -rw-r--rwx 1 root radiusd 721 Dec 4 2009 cert-clt.der
Uh... you do realize that's bad, right? The files should NOT be readable and writable by everyone on the system. They should NOT be executable. You went out of your way to break the server. Don't do that. The default permissions are correct. You need to do the following as root: cd /etc/raddb chmod -R -x . chmod -R o-rw . And don't break the server. It causes problems.
Thanks, I have changed the permissions as you stated but am still getting the same error when I run freeradius in debug mode. I have changed the permissions to the directory however. [root@lasamiq3 raddb]# dir -l total 264 -rw-r----- 1 root radiusd 422 Dec 4 2009 acct_users -rw-r----- 1 root radiusd 4074 Dec 4 2009 attrs drw-r----- 3 root radiusd 4096 Nov 5 16:59 certs -rw-r----- 1 root radiusd 189 Dec 4 2009 clients -rw-r----- 1 root radiusd 2923 Nov 5 12:26 clients.conf -rw-r----- 1 root radiusd 929 Dec 4 2009 dictionary -rw-r----- 1 root radiusd 9908 Nov 6 14:06 eap.conf -rw-r----- 1 root root 9985 Nov 5 16:48 eap.conf.1 -rw-r----- 1 root radiusd 4620 Dec 4 2009 example.pl -rw-r----- 1 root radiusd 2396 Dec 4 2009 hints -rw-r----- 1 root radiusd 1604 Dec 4 2009 huntgroups -rw-r----- 1 root radiusd 2439 Dec 4 2009 ldap.attrmap -rw-r----- 1 root radiusd 1020 Dec 4 2009 naslist -rw-r----- 1 root radiusd 856 Dec 4 2009 naspasswd -rw-r----- 1 root radiusd 3358 Dec 4 2009 otp.conf -rw-r----- 1 root radiusd 1734 Dec 4 2009 otppasswd.sample -rw-r----- 1 root radiusd 1039 Dec 4 2009 preproxy_users -rw-r----- 1 root radiusd 8834 Dec 4 2009 proxy.conf -rw-r----- 1 root radiusd 66189 Nov 5 23:54 radiusd.conf -rw-r----- 1 root root 66091 Nov 5 22:55 radiusd.conf.1 -rw-r----- 1 root radiusd 187 Dec 4 2009 realms -rw-r----- 1 root radiusd 1405 Dec 4 2009 snmp.conf -rw-r----- 1 root radiusd 3329 Dec 4 2009 sqlippool.conf -rw-r----- 1 root radiusd 7060 Nov 5 16:44 users
Date: Thu, 6 Nov 2014 09:08:20 -0500 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: EAP-TLS not initializing
Ben Tucker wrote:
Not a very affluent Linux user here but this issue is beyond me. I think its something simple to solve but can't figure it out for the life of me. When running radius in debug mode it is giving me a permission denied message when trying to load the certificates. The certs are there in the correct directory. What else am I missing here?
The permissions are wrong.
For one, you're using version 1. Don't. Upgrade to 2.2.5.
[root@lasamiq3 raddb]# dir -l certs total 64 -rw-r--rwx 1 root radiusd 721 Dec 4 2009 cert-clt.der
Uh... you do realize that's bad, right?
The files should NOT be readable and writable by everyone on the system. They should NOT be executable.
You went out of your way to break the server. Don't do that. The default permissions are correct.
You need to do the following as root:
cd /etc/raddb chmod -R -x . chmod -R o-rw .
And don't break the server. It causes problems. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ben Tucker wrote:
Thanks, I have changed the permissions as you stated but am still getting the same error when I run freeradius in debug mode.
<shrug> You broke it. The default installation works. Delete everything you've done, and install 2.2.5, or whatever version2 is supplied by your OS vendor. Alan DeKok.
Ok, installed v2, recreated my certs and still getting same problem. I am at a loss. I have verified openssl can read my certs, they are in the correct directory, shouldnt be a permission issue. Any other ideas? [root@lasamiq3 ~]# radiusd -X FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Sep 25 2012 at 10:56:03 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client 127.0.0.1 { require_message_authenticator = no secret = "testing123" shortname = "localhost" nastype = "other" } client 10.81.10.0/24 { require_message_authenticator = no secret = "preshare" shortname = "CL_GE_Radios" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs/demoCA" pem_file_type = yes private_key_file = "/etc/raddb/certs/radius-priv-key.pem" certificate_file = "/etc/raddb/certs/radius-priv-cert.pem" CA_file = "/etc/raddb/certs/demoCA/cacert.pem" private_key_password = "mercury" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory rlm_eap_tls: Error reading certificate file /etc/raddb/certs/radius-priv-cert.pem rlm_eap: Failed to initialize type tls /etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /etc/raddb/sites-enabled/default[310]: Failed to load module "eap". /etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section.
Date: Thu, 6 Nov 2014 09:50:42 -0500 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: EAP-TLS not initializing
Ben Tucker wrote:
Thanks, I have changed the permissions as you stated but am still getting the same error when I run freeradius in debug mode.
<shrug> You broke it. The default installation works.
Delete everything you've done, and install 2.2.5, or whatever version2 is supplied by your OS vendor.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ben Tucker wrote:
Ok, installed v2, recreated my certs and still getting same problem.
No, you're not.
rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory
That's a different error.
Any other ideas?
Use the correct filename in the configuration. Ensure that the file exists. Alan DeKok.
Thanks Alan, please see below. Unless I am missing something, the files are there... [root@lasamiq3 raddb]# dir -l certs/radius* -rw-r--r-- 1 root root 3016 Nov 6 16:42 certs/radius-srv-pri-cert.pem -rw-r--r-- 1 root root 1606 Nov 6 16:42 certs/radius-srv-pri-key.pem [root@lasamiq3 raddb]# dir -l certs/demoCA total 16 -rw-r--r-- 1 root root 751 Nov 6 16:10 cacert.der -rw-r--r-- 1 root root 1074 Nov 6 16:10 cacert.pem -rw-r----- 1 root radiusd 1074 Nov 5 18:48 cacert.pem.rpmsave -rw-r--r-- 1 root root 963 Nov 6 16:10 cakey.pem tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs/demoCA" pem_file_type = yes private_key_file = "/etc/raddb/certs/radius-priv-key.pem" certificate_file = "/etc/raddb/certs/radius-priv-cert.pem" CA_file = "/etc/raddb/certs/demoCA/cacert.pem" private_key_password = "mercury" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory rlm_eap_tls: Error reading certificate file /etc/raddb/certs/radius-priv-cert.pem rlm_eap: Failed to initialize type tls /etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /etc/raddb/sites-enabled/default[310]: Failed to load module "eap". /etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section.
Date: Thu, 6 Nov 2014 13:06:51 -0500 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: EAP-TLS not initializing
Ben Tucker wrote:
Ok, installed v2, recreated my certs and still getting same problem.
No, you're not.
rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory
That's a different error.
Any other ideas?
Use the correct filename in the configuration. Ensure that the file exists.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ben Tucker wrote:
Thanks Alan, please see below. Unless I am missing something, the files are there...
You are missing something. The server can't read the files. It doesn't lie to you.
rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory rlm_eap_tls: Error reading certificate file /etc/raddb/certs/radius-priv-cert.pem
And what do you get when you do: $ ls -al /etc/raddb/certs/radius-priv-cert.pem Probably "no such file or directory" This is why the server prints out filenames in debug mode. So you can CHECK THE FILENAME. Alan DeKok.
You are THE man, Alan :) Can't believe I missed that and sorry for being such a noob. Cheers
Date: Thu, 6 Nov 2014 13:51:11 -0500 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: EAP-TLS not initializing
Ben Tucker wrote:
Thanks Alan, please see below. Unless I am missing something, the files are there...
You are missing something. The server can't read the files. It doesn't lie to you.
rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory rlm_eap_tls: Error reading certificate file /etc/raddb/certs/radius-priv-cert.pem
And what do you get when you do:
$ ls -al /etc/raddb/certs/radius-priv-cert.pem
Probably "no such file or directory"
This is why the server prints out filenames in debug mode. So you can CHECK THE FILENAME.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 6 Nov 2014, at 18:26, Ben Tucker <h_bbit@hotmail.com> wrote:
Thanks Alan, please see below. Unless I am missing something, the files are there...
Did you even read the output before you sent it to the list? The filenames in your config and the actual file names you've just sent *clearly* don't match. Thanks, Adam Bishop gpg: 0x6609D460 Janet, the UK's research and education network. Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Hi,
Thanks Alan, please see below. Unless I am missing something, the files are there...
ummm
[root@lasamiq3 raddb]# dir -l certs/radius* -rw-r--r-- 1 root root 3016 Nov 6 16:42 certs/radius-srv-pri-cert.pem -rw-r--r-- 1 root root 1606 Nov 6 16:42 certs/radius-srv-pri-key.pem
have a look at those file names. note them well.
private_key_file = "/etc/raddb/certs/radius-priv-key.pem" certificate_file = "/etc/raddb/certs/radius-priv-cert.pem"
have a look at what you have in your config. seems obvious here.. alan
Sorry, forgot the debug output as well.. [root@lasamiq3 raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib64" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib64 Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/radius-priv-key.pem" tls: certificate_file = "/etc/raddb/certs/radius-priv-cert.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "mercury" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied rlm_eap_tls: Error reading certificate file rlm_eap: Failed to initialize type tls radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1940] Unknown module "eap". radiusd.conf[1887] Failed to parse authenticate section.
Date: Thu, 6 Nov 2014 09:08:20 -0500 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: EAP-TLS not initializing
Ben Tucker wrote:
Not a very affluent Linux user here but this issue is beyond me. I think its something simple to solve but can't figure it out for the life of me. When running radius in debug mode it is giving me a permission denied message when trying to load the certificates. The certs are there in the correct directory. What else am I missing here?
The permissions are wrong.
For one, you're using version 1. Don't. Upgrade to 2.2.5.
[root@lasamiq3 raddb]# dir -l certs total 64 -rw-r--rwx 1 root radiusd 721 Dec 4 2009 cert-clt.der
Uh... you do realize that's bad, right?
The files should NOT be readable and writable by everyone on the system. They should NOT be executable.
You went out of your way to break the server. Don't do that. The default permissions are correct.
You need to do the following as root:
cd /etc/raddb chmod -R -x . chmod -R o-rw .
And don't break the server. It causes problems. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi, tls: private_key_file = "/etc/raddb/certs/radius-priv-key.pem" tls: certificate_file = "/etc/raddb/certs/radius-priv-cert.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "mercury" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied check that all of those files referenced ar readble by the radiusd user and check that the contents are correct(!) alan
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Adam Bishop -
Alan DeKok -
Ben Tucker