On Thu, Apr 23, 2009 at 15:34, Glen Millard <glenmillard@gmail.com> wrote:
How are you sir?
I will post this to the group if you want , but this is making me crazy:
I am wondering the best way to troubleshoot this.
Installing FreeRADIUS on CentOS 5: radiusd: FreeRADIUS Version 2.1.5, for host i686-pc-linux-gnu, built on Apr 23 2009 at 14:17:48
When I start it for the first time, it builds all of the 'fake' certs okay and runs properly.
(I am not sure if this would be an OpenSSL error or FreeRADIUS error. What would you think the best way to troubleshoot this would be? Or do you have any helpful hints?)
However, when I attempt to build real certs, I see the following:
FreeRADIUS Version 2.1.5, for host i686-pc-linux-gnu, built on Apr 23 2009 at 14:17:48 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5
max_requests = 1024 allow_core_dumps = no pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log {
stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers ####
proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth"
secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30
num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over
home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1
require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec
exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration
expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap
Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap
mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/usr/local/var/log/radius/radwtmp"
} Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048
} Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc
gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes
rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "rifywbi!" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24
max_entries = 255 } } rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file /usr/local/etc/raddb/certs/server.pem rlm_eap: Failed to initialize type tls
/usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /usr/local/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module "eap". /usr/local/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section.
} } Errors initializing modules
When I start it for the first time, it builds all of the 'fake' certs okay and runs properly.
(I am not sure if this would be an OpenSSL error or FreeRADIUS error. What would you think the best way to troubleshoot this would be? Or do you have any helpful hints?)
However, when I attempt to build real certs, I see the following:
And how do you build "real" certificates? Using instructions in raddb/certs/README or some other way? Ivan Kalik Kalik Informatika ISP
Sorry - neglected to put that in there! I followed the instructions in the README file in /usr/local/etc/raddb/certs If you want to see any files/info/parameters, please ask! Thanks Glen On Thu, Apr 23, 2009 at 16:32, <tnt@kalik.net> wrote:
When I start it for the first time, it builds all of the 'fake' certs okay and runs properly.
(I am not sure if this would be an OpenSSL error or FreeRADIUS error. What would you think the best way to troubleshoot this would be? Or do you have any helpful hints?)
However, when I attempt to build real certs, I see the following:
And how do you build "real" certificates? Using instructions in raddb/certs/README or some other way?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
When I start it for the first time, it builds all of the 'fake' certs okay and runs properly.
(I am not sure if this would be an OpenSSL error or FreeRADIUS error. What would you think the best way to troubleshoot this would be? Or do you have any helpful hints?)
However, when I attempt to build real certs, I see the following:
snip - tot he bit of config that concerns me
pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem"
snip to the error
rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file /usr/local/etc/raddb/certs/server.pem rlm_eap: Failed to initialize type tls
yep. you've put a PEM file as the key file - is this key file the file you really want? normally you'd give it a key file (look at the working out of the box files.. the key file will start -----BEGIN RSA PRIVATE KEY----- the pem (certificate file) will start -----BEGIN CERTIFICATE----- alan
When I start it for the first time, it builds all of the 'fake' certs okay and runs properly.
(I am not sure if this would be an OpenSSL error or FreeRADIUS error. What would you think the best way to troubleshoot this would be? Or do you have any helpful hints?)
However, when I attempt to build real certs, I see the following:
snip - tot he bit of config that concerns me
pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem"
snip to the error
rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file /usr/local/etc/raddb/certs/server.pem rlm_eap: Failed to initialize type tls
You haven't created server certificate using one password and then entered differnt one in eap.conf? Check tha the password in .cnf file is the same as the one in eap.conf. Ivan Kalik Kalik Informatika ISP
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Glen Millard -
tnt@kalik.net