failed eap-type/tls???

BigMick mick at bmnetworks.co.uk
Tue Dec 20 16:46:13 CET 2005


You get this with debian as the rlm_eap_tls.so is not included in the
debian distribution due to licencing issues with openssl (IIRC).

I've installed on debian twice now, and each time I've had to install
openssl and freeradius from source. You can be certain of a few
compile-time errors, but they are easily fixed by apt-getting the dev
packages of whatever is missing.

Also if you are installing to use with postgresql, I'd advise installing
that from source as well.

For your reference, look under /usr/share/doc/freeradius for
documentation. In the copyright notes, this can be found:

--| START QUOTE |--
"Some GPL parts of this software depend on OpenSSL, the combination of
which cannot be distributed in compiled binary form. The following
modules cannot be enabled as they directly depend on OpenSSL:

rlm_eap_peap
rlm_eap_tls
rlm_eap_ttls
rlm_x99_token

Also, the FreeRADIUS core's SNMP support and the rlm_sql_postgresql
module transitively depend on OpenSSL via libsnmp{4.2,5} and libpq3
so they cannot be enabled currently, but this is subject to changes
in the relevant packages within Debian, or having usable alternate
libraries in Debian."
--| END QUOTE |--

--
BigMick


pelusa vali wrote:
> hi everybody, well i'm trying to implement an ap over linux, i use
> madwifi-ng, debian sarge kernel 2.6.13 and freeradius supplied with
> debian installation cd's; i'd like to add more security so i decided to
> use hostapd and freeradius, first i generate my own certificates using
> openssl, and my hostapd configuration refer to freeradius files and
> directories; here is my radiusd.conf file:
> 
> prefix = /usr
> exec_prefix = /usr
> sysconfdir = /etc
> localstatedir = /var
> sbindir = ${exec_prefix}/sbin
> logdir = /var/log/freeradius
> raddbdir = /etc/freeradius
> radacctdir = ${logdir}/radacct
> confdir = ${raddbdir}
> run_dir = ${localstatedir}/run/freeradius
> log_file = ${logdir}/radius.log
> libdir = /usr/lib/freeradius
> pidfile = ${run_dir}/freeradius.pid
> user = root
> group = root
> max_request_time = 30
> delete_blocked_requests = no
> cleanup_delay = 5
> max_requests = 1024
> bind_address = 192.168.50.1
> port = 0
> hostname_lookups = no
> allow_core_dumps = no
> regular_expressions    = yes
> extended_expressions    = yes
> log_stripped_names = no
> log_auth = no
> log_auth_badpass = no
> log_auth_goodpass = no
> usercollide = no
> lower_user = before
> lower_pass = before
> nospace_user = before
> nospace_pass = before
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = no
> }
> proxy_requests  = yes
> $INCLUDE  ${confdir}/proxy.conf
> $INCLUDE  ${confdir}/clients.conf
> snmp    = no
> $INCLUDE  ${confdir}/snmp.conf
> thread pool {
> start_servers = 5
> max_servers = 32
> min_spare_servers = 3
> max_spare_servers = 10
> max_requests_per_server = 0
> }
> modules {
> pap {
> encryption_scheme = crypt
> }
> chap {
> authtype = CHAP
> }
> pam {
> pam_auth = radiusd
> }
> unix {
> cache = no
> cache_reload = 600
> shadow = /etc/shadow
> radwtmp = ${logdir}/radwtmp
> }
> 
> $INCLUDE ${confdir}/eap.conf
> mschap {
> }
> ldap {
> server = "ldap.your.domain"
> basedn = "o=My Org,c=UA"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> start_tls = no
> access_attr = "dialupAccess"
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> ldap_connections_number = 5
> timeout = 4
> timelimit = 3
> net_timeout = 1
> }
> realm IPASS {
> format = prefix
> delimiter = "/"
> ignore_default = no
> ignore_null = no
> }
> realm suffix {
> format = suffix
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> realm realmpercent {
> format = suffix
> delimiter = "%"
> ignore_default = no
> ignore_null = no
> }
> realm ntdomain {
> format = prefix
> delimiter = "\\"
> ignore_default = no
> ignore_null = no
> }
> checkval {
> item-name = Calling-Station-Id
> check-name = Calling-Station-Id
> data-type = string
> }
> preprocess {
> huntgroups = ${confdir}/huntgroups
> hints = ${confdir}/hints
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> }
> files {
> usersfile = ${confdir}/users
> acctusersfile = ${confdir}/acct_users
> compat = no
> }
> 
>     detail {
>         detailperm = 0600
>     }
> 
>     acct_unique {
>         key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
>     }
> 
>     $INCLUDE  ${confdir}/sql.conf
> 
>     radutmp {
>         filename = ${logdir}/radutmp
>         username = %{User-Name}
>     case_sensitive = no
>         check_with_nas = yes
>         perm = 0600
>     callerid = "yes"
>     }
> 
>     radutmp sradutmp {
>         filename = ${logdir}/sradutmp
>         perm = 0644
>         callerid = "no"
>     }
> 
>     attr_filter {
>         attrsfile = ${confdir}/attrs
>     }
> 
>     counter daily {
>         filename = ${raddbdir}/db.daily
>         key = User-Name
>         count-attribute = Acct-Session-Time
>         reset = daily
>         counter-name = Daily-Session-Time
>         check-name = Max-Daily-Session
>         allowed-servicetype = Framed-User
>         cache-size = 5000
>     }
> 
>     always fail {
>         rcode = fail
>     }
>     always reject {
>         rcode = reject
>     }
>     always ok {
>         rcode = ok
>         simulcount = 0
>         mpp = no
>     }
> 
>     expr {
>     }
> 
>     digest {
>     }
> 
>     exec {
>         wait = yes
>         input_pairs = request
>     }
> 
>     exec echo {
>         wait = yes
>     program = "/bin/echo %{User-Name}"
>         input_pairs = request
>         output_pairs = reply
>     }
> 
>     ippool main_pool {
>         range-start = 192.168.1.1
>         range-stop = 192.168.3.254
>         netmask = 255.255.255.0
>         cache-size = 800
>         session-db = ${raddbdir}/db.ippool
>         ip-index = ${raddbdir}/db.ipindex
>         override = no
>         maximum-timeout = 0
>     }
> }
> 
> instantiate {
>     exec
>     expr
> }
> 
> authorize {
>     preprocess
>     chap
>     mschap
>     suffix
> eap
>     files
> }
> 
> authenticate {
>     Auth-Type PAP {
>         pap
>     }
> 
>     Auth-Type CHAP {
>         chap
>     }
> 
>     Auth-Type MS-CHAP {
>         mschap
>     }
>     unix
>     eap
> }
> 
> preacct {
>     preprocess
>     acct_unique
>     suffix
> files
> }
> 
> accounting {
>     detail
>     unix
>     radutmp
> }
> 
> session {
>     radutmp
> }
> 
> post-auth {
> }
> 
> pre-proxy {
> }
> 
> post-proxy {
>     eap
> }
> 
> and here eap.conf file:
> 
>     eap {
>         default_eap_type = tls
>         timer_expire     = 60
>         ignore_unknown_eap_types = no
>         cisco_accounting_username_bug = no
> 
>         md5 {
>         }
> 
>         leap {
>         }
> 
> 
>         gtc {
>             auth_type = PAP
>         }
> 
> 
>         tls {
>             private_key_password = wlanserver
>             private_key_file =
> /etc/freeradius/certs/miscerts/private/cakey.pem
>             certificate_file = /etc/freeradius/certs/miscerts/cacert.crt
>             CA_file = /etc/freeradius/certs/miscerts/cacert.pem
>             dh_file = /etc/freeradius/certs/dh
>             random_file = /etc/freeradius/certs/random
>             fragment_size = 1024
>           }
> 
> 
>         ttls {
>             default_eap_type = md5
>             copy_request_to_tunnel = no
>             use_tunneled_reply = no
>         }
> 
>         mschapv2 {
>         }
>     }
> 
> well the problem is: when i run freeradius -X i get this error:
> 
> rlm_eap:Failed to link EAP-Type/tls: rlm_eap_tls.so:cannot open shared
> object:no such file or directory
> radiusd.conf[9]:eap:instantation failed
> 
> so could any body help me?? why occurs this error and how could i solve
> it??
> thanks for your help.
> 
> _________________________________________________________________
> MSN Amor: busca tu ½ naranja http://latam.msn.com/amor/
> 
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list