Login to Cisco devices through freeradius
Buddies, I don't know if I can issue this question here, but I need your help to implement RADIUS solution... I think that my objective is quite simple in comparison with RADIUS most variables purposes. I must login to my network devices through RADIUS server, centralizing this management process. After installing freeradius, I couldn't start it. Checking radius.log I saw the following errors: Wed Mar 18 15:31:28 2009 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied Wed Mar 18 15:31:28 2009 : Error: rlm_eap_tls: Error reading Trusted root CA list /etc/raddb/certs/ca.pem Wed Mar 18 15:31:28 2009 : Error: rlm_eap: Failed to initialize type tls Wed Mar 18 15:31:28 2009 : Error: /etc/raddb/eap.conf[17]: Instantiation failed for module "eap" Wed Mar 18 15:31:28 2009 : Error: /etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module "eap". Wed Mar 18 15:31:28 2009 : Error: /etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. Wed Mar 18 15:31:28 2009 : Error: Errors initializing modules I'm completely lost about the solution and I wasn't able to find any "how to" on the web. I appreciate any help, thanks in advance. Bruno
After installing freeradius, I couldn't start it. Checking radius.log I saw the following errors:
Wed Mar 18 15:31:28 2009 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied Wed Mar 18 15:31:28 2009 : Error: rlm_eap_tls: Error reading Trusted root CA list /etc/raddb/certs/ca.pem
There is nothing misterious about these messages. User freeradius runs under doesn't have permission to open certificate files. Check permissions on the file directory mentioned in the debug. Ivan Kalik Kalik Informatika ISP
I issued "chmod 777 *" in every directory related to freeradius. There is no freeradius user in users command output! No success until now... tks! Bruno 2009/3/19 <tnt@kalik.net>
After installing freeradius, I couldn't start it. Checking radius.log I saw the following errors:
Wed Mar 18 15:31:28 2009 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied Wed Mar 18 15:31:28 2009 : Error: rlm_eap_tls: Error reading Trusted root
CA
list /etc/raddb/certs/ca.pem
There is nothing misterious about these messages. User freeradius runs under doesn't have permission to open certificate files.
Check permissions on the file directory mentioned in the debug.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bruno Noronha wrote:
I issued "chmod 777 *" in every directory related to freeradius.
Don't do that. Ever. The server comes with a default configuration that WORKS. The only reason that it doesn't have permission to read those files is because YOU changed the configuration so that the server doesn't have permission. Why are so many people insistent on breaking the working configuration? Where else do we need to document "DON'T BREAK IT" ? Alan DeKok.
Sorry but what you said doesn't make any sense to me. The default config didn't work. How can you explain the same alarms even after changing the permissions to everyone? The message containing "permission denied" remains..It's strange, unless I have forgotten to change permission of a directory. I was expecting something like "unsecure permissions" which didn't happen. 2009/3/20 Alan DeKok <aland@deployingradius.com>
Bruno Noronha wrote:
I issued "chmod 777 *" in every directory related to freeradius.
Don't do that. Ever.
The server comes with a default configuration that WORKS. The only reason that it doesn't have permission to read those files is because YOU changed the configuration so that the server doesn't have permission.
Why are so many people insistent on breaking the working configuration? Where else do we need to document "DON'T BREAK IT" ?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry but what you said doesn't make any sense to me. The default config didn't work. How can you explain the same alarms even after changing the permissions to everyone? The message containing "permission denied" remains..It's strange, unless I have forgotten to change permission of a directory. I was expecting something like "unsecure permissions" which didn't happen.
Do you have something like selinux preventing access? Ivan Kalik Kalik Informatika ISP
I don't think so.I'm using SUSE 11.0, is there any problem with that? 2009/3/20 <tnt@kalik.net>
Sorry but what you said doesn't make any sense to me. The default config didn't work. How can you explain the same alarms even after changing the permissions to everyone? The message containing "permission denied" remains..It's strange, unless I have forgotten to change permission of a directory. I was expecting something like "unsecure permissions" which didn't happen.
Do you have something like selinux preventing access?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
try commenting out the eap module in both radiusd.conf and sites-available/default, inner-tunnel, then try starting radiusd -X tnt-4 wrote:
Sorry but what you said doesn't make any sense to me. The default config didn't work. How can you explain the same alarms even after changing the permissions to everyone? The message containing "permission denied" remains..It's strange, unless I have forgotten to change permission of a directory. I was expecting something like "unsecure permissions" which didn't happen.
Do you have something like selinux preventing access?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Login-to-Cisco-devices-through-freeradius-tp22610096p2... Sent from the FreeRadius - User mailing list archive at Nabble.com.
There is nothing related to eap to comment out in these files... Should I create a certificate? Is it compulsory? 2009/3/20 sollunga <sollunga@yahoo.com>
try commenting out the eap module in both radiusd.conf and sites-available/default, inner-tunnel, then try starting radiusd -X
tnt-4 wrote:
Sorry but what you said doesn't make any sense to me. The default config didn't work. How can you explain the same alarms even after changing the permissions to everyone? The message containing "permission denied" remains..It's strange, unless I have forgotten to change permission of a directory. I was expecting something like "unsecure permissions" which didn't happen.
Do you have something like selinux preventing access?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Login-to-Cisco-devices-through-freeradius-tp22610096p2... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
There is nothing related to eap to comment out in these files... Should I create a certificate? Is it compulsory?
hang on - do you actually HAVE any EAP cert/CA files that you are referencing in eap.conf? read eap.conf - see what files it is trying to read (cert, CA , pkcs12, random, etc) and check you actually HAVE those files. if you have those files, then ensure that the permissions for the directory and files are suitable for reading - you DONT EVER want 777 with 777 i could own your server and take over your infrastructure - you only want read permissions on the files...for the relavant user that the freeradius daemon is running as (usually radiusd) what does id radiusd give as output? alan
Dawg, I have all default installation files. I read eap.conf and it seems to be okay, I either changed any file, including adding new users! Everything remains the same... I know that "chmod 777" is not recommended. I did it just to make sure that what I have isn't a permission issue. Here is the output for id radiusd command: uid=108(radiusd) gid=109(radiusd) groups=109(radiusd) Reading this tutorial, http://wiki.freeradius.org/Cisco, it seems to be so simple! Is there any possibility of OS incompatibity with freeRADIUS? tks! 2009/3/20 <A.L.M.Buxey@lboro.ac.uk>
Hi,
There is nothing related to eap to comment out in these files... Should I create a certificate? Is it compulsory?
hang on - do you actually HAVE any EAP cert/CA files that you are referencing in eap.conf?
read eap.conf - see what files it is trying to read (cert, CA , pkcs12, random, etc) and check you actually HAVE those files. if you have those files, then ensure that the permissions for the directory and files are suitable for reading - you DONT EVER want 777
with 777 i could own your server and take over your infrastructure - you only want read permissions on the files...for the relavant user that the freeradius daemon is running as (usually radiusd)
what does
id radiusd
give as output?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bruno Noronha wrote:
Reading this tutorial, http://wiki.freeradius.org/Cisco, it seems to be so simple! Is there any possibility of OS incompatibity with freeRADIUS?
No. Alan DeKok.
There is nothing related to eap to comment out in these files... Should I create a certificate? Is it compulsory? Hi, I've just struggled through all this so it's nice to try and help. Always take note of the FIRST error message in the debug. The later ones can be confusing if you don't understand what's going on. Your problem seems to be that the server can't read the certificate files. If they aren't there, it won't be able to. When I compiled freeradius it generated test certificates itself (after tweaking the Makefile). Are you using the latest version? You must have certificates to do SSL. They live in the raddb/certs directory. Regards, Leighton
Leighton, tks for help me. I agree with you, the messages are a little bit confusing for me too. That's what I thought, problems wich permission. That's why I did chmod 777, even knowing that it's not recommended. After doing this, the issue persist...I'm using the newest available version of freeradius.org. Here follows the output of Makefile. /etc/raddb/certs/Makefile /etc/raddb/certs/Makefile: line 12: DH_KEY_SIZE: command not found grep: server.cnf: No such file or directory /etc/raddb/certs/Makefile: line 17: PASSWORD_SERVER: command not found grep: ca.cnf: No such file or directory /etc/raddb/certs/Makefile: line 18: PASSWORD_CA: command not found grep: client.cnf: No such file or directory /etc/raddb/certs/Makefile: line 19: PASSWORD_CLIENT: command not found grep: client.cnf: No such file or directory /etc/raddb/certs/Makefile: line 21: USER_NAME: command not found /etc/raddb/certs/Makefile: line 28: .PHONY:: command not found /etc/raddb/certs/Makefile: line 29: all:: command not found /etc/raddb/certs/Makefile: line 31: .PHONY:: command not found /etc/raddb/certs/Makefile: line 32: client:: command not found /etc/raddb/certs/Makefile: line 34: .PHONY:: command not found /etc/raddb/certs/Makefile: line 35: ca:: command not found /etc/raddb/certs/Makefile: line 37: .PHONY:: command not found /etc/raddb/certs/Makefile: line 38: server:: command not found /etc/raddb/certs/Makefile: line 45: dh:: command not found /etc/raddb/certs/Makefile: line 46: DH_KEY_SIZE: command not found And the outpug of ls -ls on certs directory: RADIUS:/etc/raddb/certs # ls -l total 104 -rwxrwxrwx 1 root root 4210 Mar 17 10:49 01.pem -rwxrwxrwx 1 root root 4441 Nov 19 14:20 Makefile -rwxrwxrwx 1 root root 5343 Nov 19 14:20 README -rwxrwxrwx 1 root radiusd 462 Nov 19 14:20 bootstrap -rwxrwxrwx 1 root radiusd 1288 Nov 19 14:20 ca.cnf -rwxrwxrwx 1 root root 1195 Mar 17 10:49 ca.der -rwxrwxrwx 1 root root 1743 Mar 17 10:49 ca.key -rwxrwxrwx 1 root root 1675 Mar 17 10:49 ca.pem -rwxrwxrwx 1 root radiusd 1109 Nov 19 14:20 client.cnf -rwxrwxrwx 1 root root 466 Mar 19 15:10 dh -rwxrwxrwx 1 root root 120 Mar 17 10:49 index.txt -rwxrwxrwx 1 root root 21 Mar 17 10:49 index.txt.attr -rwxrwxrwx 1 root root 0 Mar 17 10:49 index.txt.old -rwxrwxrwx 1 root root 1024 Mar 19 15:11 random -rwxrwxrwx 1 root root 3 Mar 17 10:49 serial -rwxrwxrwx 1 root root 3 Mar 17 10:49 serial.old -rwxrwxrwx 1 root radiusd 1123 Nov 19 14:20 server.cnf -rwxrwxrwx 1 root root 4210 Mar 17 10:49 server.crt -rwxrwxrwx 1 root root 1062 Mar 17 10:49 server.csr -rwxrwxrwx 1 root root 1743 Mar 17 10:49 server.key -rwxrwxrwx 1 root root 2533 Mar 17 10:49 server.p12 -rwxrwxrwx 1 root root 3495 Mar 17 10:49 server.pem -rwxrwxrwx 1 root root 578 Nov 19 14:20 xpextensions 2009/3/20 Leighton Man <l.j.man@hud.ac.uk>
There is nothing related to eap to comment out in these files... Should I create a certificate? Is it compulsory?
Hi, I've just struggled through all this so it's nice to try and help. Always take note of the FIRST error message in the debug. The later ones can be confusing if you don't understand what's going on. Your problem seems to be that the server can't read the certificate files. If they aren't there, it won't be able to. When I compiled freeradius it generated test certificates itself (after tweaking the Makefile). Are you using the latest version?
You must have certificates to do SSL. They live in the raddb/certs directory.
Regards,
Leighton
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
RADIUS:/etc/raddb/certs # ls -l total 104 -rwxrwxrwx 1 root root 4210 Mar 17 10:49 01.pem -rwxrwxrwx 1 root root 4441 Nov 19 14:20 Makefile -rwxrwxrwx 1 root root 5343 Nov 19 14:20 README -rwxrwxrwx 1 root radiusd 462 Nov 19 14:20 bootstrap -rwxrwxrwx 1 root radiusd 1288 Nov 19 14:20 ca.cnf -rwxrwxrwx 1 root root 1195 Mar 17 10:49 ca.der -rwxrwxrwx 1 root root 1743 Mar 17 10:49 ca.key -rwxrwxrwx 1 root root 1675 Mar 17 10:49 ca.pem -rwxrwxrwx 1 root radiusd 1109 Nov 19 14:20 client.cnf -rwxrwxrwx 1 root root 466 Mar 19 15:10 dh -rwxrwxrwx 1 root root 120 Mar 17 10:49 index.txt -rwxrwxrwx 1 root root 21 Mar 17 10:49 index.txt.attr -rwxrwxrwx 1 root root 0 Mar 17 10:49 index.txt.old -rwxrwxrwx 1 root root 1024 Mar 19 15:11 random -rwxrwxrwx 1 root root 3 Mar 17 10:49 serial -rwxrwxrwx 1 root root 3 Mar 17 10:49 serial.old -rwxrwxrwx 1 root radiusd 1123 Nov 19 14:20 server.cnf -rwxrwxrwx 1 root root 4210 Mar 17 10:49 server.crt -rwxrwxrwx 1 root root 1062 Mar 17 10:49 server.csr -rwxrwxrwx 1 root root 1743 Mar 17 10:49 server.key -rwxrwxrwx 1 root root 2533 Mar 17 10:49 server.p12 -rwxrwxrwx 1 root root 3495 Mar 17 10:49 server.pem -rwxrwxrwx 1 root root 578 Nov 19 14:20 xpextensions
chown -R radiusd:radiusd /etc/raddb chmod -R 755 /etc/raddb/certs alan
Thanks man, this commands solved my problem!! Bruno 2009/3/20 <A.L.M.Buxey@lboro.ac.uk>
Hi,
RADIUS:/etc/raddb/certs # ls -l total 104 -rwxrwxrwx 1 root root 4210 Mar 17 10:49 01.pem -rwxrwxrwx 1 root root 4441 Nov 19 14:20 Makefile -rwxrwxrwx 1 root root 5343 Nov 19 14:20 README -rwxrwxrwx 1 root radiusd 462 Nov 19 14:20 bootstrap -rwxrwxrwx 1 root radiusd 1288 Nov 19 14:20 ca.cnf -rwxrwxrwx 1 root root 1195 Mar 17 10:49 ca.der -rwxrwxrwx 1 root root 1743 Mar 17 10:49 ca.key -rwxrwxrwx 1 root root 1675 Mar 17 10:49 ca.pem -rwxrwxrwx 1 root radiusd 1109 Nov 19 14:20 client.cnf -rwxrwxrwx 1 root root 466 Mar 19 15:10 dh -rwxrwxrwx 1 root root 120 Mar 17 10:49 index.txt -rwxrwxrwx 1 root root 21 Mar 17 10:49 index.txt.attr -rwxrwxrwx 1 root root 0 Mar 17 10:49 index.txt.old -rwxrwxrwx 1 root root 1024 Mar 19 15:11 random -rwxrwxrwx 1 root root 3 Mar 17 10:49 serial -rwxrwxrwx 1 root root 3 Mar 17 10:49 serial.old -rwxrwxrwx 1 root radiusd 1123 Nov 19 14:20 server.cnf -rwxrwxrwx 1 root root 4210 Mar 17 10:49 server.crt -rwxrwxrwx 1 root root 1062 Mar 17 10:49 server.csr -rwxrwxrwx 1 root root 1743 Mar 17 10:49 server.key -rwxrwxrwx 1 root root 2533 Mar 17 10:49 server.p12 -rwxrwxrwx 1 root root 3495 Mar 17 10:49 server.pem -rwxrwxrwx 1 root root 578 Nov 19 14:20 xpextensions
chown -R radiusd:radiusd /etc/raddb
chmod -R 755 /etc/raddb/certs
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A.L.M.Buxey@lboro.ac.uk wrote:
chown -R radiusd:radiusd /etc/raddb
chmod -R 755 /etc/raddb/certs
Yuck - marking data files executable. I'd start with: find /etc/raddb/certs -type d -exec chmod 755 {} \; find /etc/raddb/certs \! -type d -exec chmod 644 {} \; and fix any program file that should be 755 -- REALITY.SYS not found: Universe halted.
Bruno Noronha wrote:
Leighton, tks for help me. I agree with you, the messages are a little bit confusing for me too. That's what I thought, problems wich permission. That's why I did chmod 777, even knowing that it's not recommended. After doing this, the issue persist...I'm using the newest available version of freeradius.org <http://freeradius.org>.
For the LAST time: This is not a FreeRADIUS problem. Fix your OS so that it lets FreeRADIUS read the configuration files.
Here follows the output of Makefile.
/etc/raddb/certs/Makefile /etc/raddb/certs/Makefile: line 12: DH_KEY_SIZE: command not found grep: server.cnf: No such file or directory
Uh... you do know that you can't execute Makefiles like shell scripts? Alan DeKok.
Bruno Noronha wrote:
Sorry but what you said doesn't make any sense to me. The default config didn't work.
<shrug> Then something on *your* system is preventing it from working.
How can you explain the same alarms even after changing the permissions to everyone?
I don't. It's *your* system. FreeRADIUS isn't generating those errors. The OS on your system is telling FreeRADIUS that it can't read those files. If you don't understand how your OS works, then you need to solve that problem before you spend any more time with FreeRADIUS. Alan DeKok.
participants (7)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Andrew Hood -
Bruno Noronha -
Leighton Man -
sollunga -
tnt@kalik.net