I am using: freeradius -v freeradius: FreeRADIUS Version 2.2.5, for host i586-pc-linux-gnu, built on Oct 24 2014 at 04:18:43 Running on a Alix computer with a Voyage Version: 0.10.0 with IP 192.168.1.5 (Voyage is a Debian derivetive) with hostapd -v hostapd v2.3 User space daemon for IEEE 802.11 AP management, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator Copyright (c) 2002-2014, Jouni Malinen <j@w1.fi> and contributors On a RPI3 with IP 192.168.1.30 as a NAS/AP. From the RPI3 I can use # radtest tst password 192.168.1.5 0 secret123 with succes. So I expect hostapd and freeradius to be corect configered? Here comes the problem: I followed the howto to this point: http://deployingradius.com/documents/configuration/pap.html I tryid to disable validate server certificate, on a windows 7, but it stil ends op showing me: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x3e833be03884222b... did not finish! WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! So I expect a certificate problem and follow this howto: http://deployingradius.com/documents/configuration/certificates.html This does not work as expectid. When I run # freeradius -X No change. I suspect the certificates is not moved to where they should be. (They are in: /usr/share/doc/freeradius/examples/certs So I copy the cerificate into: /etc/freeradius/certs and check the rights. It looks like the original, but its no link. /etc/freeradius# ls -l certs -rw-r--r-- 1 root freerad 1700 Jun 28 15:11 ca.pem -rw-r--r-- 1 root freerad 1834 Jun 28 15:13 server.key -rw-r--r-- 1 root freerad 3609 Jun 28 15:11 server.pem Now when i run: # freeradius -X It crashes with this: ....... url ="http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file /etc/freeradius/certs/server.key rlm_eap: Failed to initialize type tls /etc/freeradius/eap.conf[17]: Instantiation failed for module "eap" /etc/freeradius/sites-enabled/default[310]: Failed to find "eap" in the "modules" section. /etc/freeradius/sites-enabled/default[252]: Errors parsing authenticate section. /etc/freeradius# Then I am a little lost. Any idea? -- ------------------------------------------- Med venlig hilsen / Yours Sincerly Henrik Kressner
On Jun 28, 2016, at 10:41 AM, Henrik Kressner <kressner@synkro.dk> wrote:
I am using:
freeradius -v freeradius: FreeRADIUS Version 2.2.5, for host i586-pc-linux-gnu, built on Oct 24 2014 at 04:18:43
This version is unsupported. You should upgrade to the latest v3.0.x series release. -Arran
On 28-06-2016 16:51, Arran Cudbard-Bell wrote:
On Jun 28, 2016, at 10:41 AM, Henrik Kressner <kressner@synkro.dk> wrote:
I am using:
freeradius -v freeradius: FreeRADIUS Version 2.2.5, for host i586-pc-linux-gnu, built on Oct 24 2014 at 04:18:43 This version is unsupported.
You should upgrade to the latest v3.0.x series release.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for fast reply. Now i suspect an error on: http://wiki.freeradius.org/building/Debian It claims: " To install up-to-date FreeRADIUS 2.2.x packages on Debian stable systems, use the backports repository." When I follow that instruction, (on another mashine) I end op with the same version. # freeradius -v freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 28 2014 at 16:27:11 When i try to start the server: # freeradius -X It crashes with this troubeling message: radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } Refusing to start with libssl version OpenSSL 1.0.1e 11 Feb 2013 (in range 1.0.1 - 1.0.1f). Security advisory CVE-2014-0160 (Heartbleed) For more information see http://heartbleed.com I believe my openssl should be updated. Anyway, I must look for a way to install v3.x.x. -- ------------------------------------------- Med venlig hilsen / Yours Sincerly Henrik Kressner kressner@synkro.dk Ingeniørfirmaet Synkro / Synkro Engineering Vædevej 64 5462 Morud http://www.synkro.dk Direkte 40 37 40 87
On Jun 28, 2016, at 11:14 AM, Henrik Kressner <kressner@synkro.dk> wrote:
Now i suspect an error on: http://wiki.freeradius.org/building/Debian
It claims:
" To install up-to-date FreeRADIUS 2.2.x packages on Debian stable systems, use the backports repository."
Ask Debian why they're years behind our releases.
It crashes with this troubeling message:
It's not a crash. Stop saying that.
radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } Refusing to start with libssl version OpenSSL 1.0.1e 11 Feb 2013 (in range 1.0.1 - 1.0.1f). Security advisory CVE-2014-0160 (Heartbleed) For more information see http://heartbleed.com
I believe my openssl should be updated.
Read raddb/radiusd.conf. Look for "openssl".
Anyway, I must look for a way to install v3.x.x.
Install 3.0.11. It's a supported release. Alan DeKok.
On 28-06-2016 17:20, Alan DeKok wrote:
On Jun 28, 2016, at 11:14 AM, Henrik Kressner <kressner@synkro.dk> wrote:
Zip
Install 3.0.11. It's a supported release.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wow, this list rocks :) Thank for fast reply and input, I will try it out, if not for else, Ill be wiser. And i will stop calling it a crash when its an error. How could you see the password for the server certificate is wrong ? -- ------------------------------------------- Med venlig hilsen / Yours Sincerly Henrik Kressner
On Jun 28, 2016, at 11:38 AM, Henrik Kressner <kressner@synkro.dk> wrote:
And i will stop calling it a crash when its an error.
Thanks.
How could you see the password for the server certificate is wrong ?
Because that's the only reason why the server key cannot be decrypted. Alan DeKok.
Hi Henrik The situation with Debian is not so easy, but for interim have a look at the building packages page in the FR wiki. You will find for both Debian and Ubuntu repositories maintained by people using and building packages for Debian and Ubuntu. In case of Debian for wheezy and jessie as for writing. Give them a try, and otherwise I can only concur with Arran and Alan: It's not that difficult to compile from source or build a debian package from source. -- Mathieu Am 28.06.2016 um 17:14 schrieb Henrik Kressner:
On 28-06-2016 16:51, Arran Cudbard-Bell wrote:
On Jun 28, 2016, at 10:41 AM, Henrik Kressner <kressner@synkro.dk> wrote:
I am using:
freeradius -v freeradius: FreeRADIUS Version 2.2.5, for host i586-pc-linux-gnu, built on Oct 24 2014 at 04:18:43 This version is unsupported.
You should upgrade to the latest v3.0.x series release.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for fast reply.
Now i suspect an error on: http://wiki.freeradius.org/building/Debian
It claims:
" To install up-to-date FreeRADIUS 2.2.x packages on Debian stable systems, use the backports repository."
When I follow that instruction, (on another mashine) I end op with the same version.
# freeradius -v freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 28 2014 at 16:27:11
When i try to start the server:
# freeradius -X
It crashes with this troubeling message:
radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } Refusing to start with libssl version OpenSSL 1.0.1e 11 Feb 2013 (in range 1.0.1 - 1.0.1f). Security advisory CVE-2014-0160 (Heartbleed) For more information see http://heartbleed.com
I believe my openssl should be updated.
Anyway, I must look for a way to install v3.x.x.
On Tue, Jun 28, 2016 at 05:35:09PM +0200, Mathieu Simon (Lists) wrote:
The situation with Debian is not so easy, but for interim have a look at the building packages page in the FR wiki.
Unfortunately, at the current time, the FR wiki Debian pages are a bit messed up. All the stuff I rewrote earlier in the year with up-to-date instruction is lost AFAICT. I'm hoping to rewrite the page again at some point soon but, as always, time...
You will find for both Debian and Ubuntu repositories maintained by people using and building packages for Debian and Ubuntu.
In case of Debian for wheezy and jessie as for writing. Give them a try, and otherwise I can only concur with Arran and Alan: It's not that difficult to compile from source or build a debian package from source.
For the time being, something like this should suffice: sudo apt-get install git-core dpkg-dev git clone git://github.com/FreeRADIUS/freeradius-server.git cd freeradius-server/ git checkout release_3_0_11 dpkg-checkbuilddeps # apt-get install any required packages from above dpkg-buildpackage -us -uc -rfakeroot Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Jun 28, 2016, at 10:41 AM, Henrik Kressner <kressner@synkro.dk> wrote:
freeradius: FreeRADIUS Version 2.2.5, for host i586-pc-linux-gnu, built on Oct 24 2014 at 04:18:43
You should upgrade. it's not difficult.
Here comes the problem:
I followed the howto to this point: http://deployingradius.com/documents/configuration/pap.html
I tryid to disable validate server certificate, on a windows 7, but it stil ends op showing me:
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x3e833be03884222b... did not finish! WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
So I expect a certificate problem and follow this hoot:
The Windows machine doesn't have the correct CA certificate fix that. There may also be additional Windows requirements which were not known at the time that 2.2.5 was released. A newer version of the server will be able to create certificates that Windows likes.
I suspect the certificates is not moved to where they should be.
(They are in: /usr/share/doc/freeradius/examples/certs
Debian moves the certificates for reasons I don't understand.
So I copy the cerificate into: /etc/freeradius/certs and check the rights. It looks like the original, but its no link.
/etc/freeradius# ls -l certs -rw-r--r-- 1 root freerad 1700 Jun 28 15:11 ca.pem -rw-r--r-- 1 root freerad 1834 Jun 28 15:13 server.key -rw-r--r-- 1 root freerad 3609 Jun 28 15:11 server.pem
OK...
Now when i run:
# freeradius -X
It crashes with this:
That's not a crash. It's an error. It's telling you that you did something wrong.
....... url ="http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file /etc/freeradius/certs/server.key
The password for the server certificate is wrong. Fix that. See the EAP module configuration. Look for "password". Alan DeKok.
participants (5)
-
Alan DeKok -
Arran Cudbard-Bell -
Henrik Kressner -
Mathieu Simon (Lists) -
Matthew Newton