EAP PEAP, unable to load certificate

Nick Larsen larsen.nick at gmail.com
Fri Aug 25 06:18:54 CEST 2006


Hi Subscribers,

I'm currently setting up a wireless hotspot for a cafe, and am currently
stuck with the EAP part in FreeRADIUS.

I'm running "FreeRADIUS Version 1.1.1" on FreeBSD
`uname -a` output:
   FreeBSD radius02.01.net.nz 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Wed Nov  2
22:33:15 UTC 2005
   root at s-dallas.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  sparc64

I'm trying to connect my i-mate PDA2k (PDA) to the Linksys WAG54g access
point. The access point is set up to use WPA-RADIUS, but when I attempt to
connect to it from the PDA, It say's the Linksys isn't sending a
User-Password or CHAP-Password attribute, so this is where I thought I
needed EAP.

We want to make is as easy as possible for people with mobile devices to
connect to the AP, so I decided to use the PEAP method, which requires tls{}
to be enabled.

I have created an SSL certificate (CA) and private key file, and put them in
/etc/raddb/certs and referenced them correctly in eap.conf under tls{} but
when I enable peap{} I get the following output from radiusd -XA:

(On the 8th to last line, you'll see fopen, and it has nothing between the
quotes in the 1st argument.)

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
Config:   including file: /etc/raddb/sql.conf
 main: prefix = "/usr/local"
 main: localstatedir = "/var"
 main: logdir = "/var/log/radius"
 main: libdir = "/usr/local/lib"
 main: radacctdir = "/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 5120
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius/radius.log"
 main: log_auth = yes
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: bind_address = 10.10.1.18 IP address [10.10.1.18]
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/local/sbin/checkrad"
 main: proxy_requests = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded SQL Counter
 sqlcounter: counter-name = "Daily-Session-Time"
 sqlcounter: check-name = "Max-Daily-Session"
 sqlcounter: key = "User-Name"
 sqlcounter: sqlmod-inst = "sql"
 sqlcounter: query = "SELECT SUM(AcctSessionTime -  GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
 sqlcounter: reset = "daily"
 sqlcounter: safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
rlm_sqlcounter: Counter attribute Daily-Session-Time is number 1830
rlm_sqlcounter: Check attribute Max-Daily-Session is number 1831
rlm_sqlcounter: Current Time: 1156477612 [2006-08-25 15:46:52], Next reset
1156507200 [2006-08-26 00:00:00]
rlm_sqlcounter: Current Time: 1156477612 [2006-08-25 15:46:52], Prev reset
1156420800 [2006-08-25 00:00:00]
Module: Instantiated sqlcounter (dailycounter)
 sqlcounter: counter-name = "Monthly-Session-Time"
 sqlcounter: check-name = "Max-Monthly-Session"
 sqlcounter: key = "User-Name"
 sqlcounter: sqlmod-inst = "sql"
 sqlcounter: query = "SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
 sqlcounter: reset = "monthly"
 sqlcounter: safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
rlm_sqlcounter: Counter attribute Monthly-Session-Time is number 1832
rlm_sqlcounter: Check attribute Max-Monthly-Session is number 1833
rlm_sqlcounter: Current Time: 1156477612 [2006-08-25 15:46:52], Next reset
1157025600 [2006-09-01 00:00:00]
rlm_sqlcounter: Current Time: 1156477612 [2006-08-25 15:46:52], Prev reset
1154347200 [2006-08-01 00:00:00]
Module: Instantiated sqlcounter (monthlycounter)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = yes
 mschap: require_strong = yes
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded eap
 eap: default_eap_type = "peap"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/etc/raddb/certs/private/cakey.pem"
 tls: certificate_file = "(null)"
 tls: CA_file = "/etc/raddb/certs/cacert.pem"
 tls: private_key_password = "*******"
 tls: dh_file = "(null)"
 tls: random_file = "(null)"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
1062:error:0200100E:system library:fopen:Bad
address:bss_file.c:352:fopen('','r')
1062:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
1062:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system
lib:ssl_rsa.c:720:
rlm_eap_tls: Error reading certificate file
rlm_eap: Failed to initialize type tls
radiusd.conf[10]: eap: Module instantiation failed.
radiusd.conf[1906] Unknown module "eap".
radiusd.conf[1853] Failed to parse authenticate section.

Does anyone know what could cause this, or is there a better method to get
ease of use for wireless clients?
Please let me know if there's other info you need which may help, as I'm
sure I would have forgotten something.

Thanks in advance,


-- 
Regards,

Nick Larsen
Wellington
NEW ZEALAND
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060825/4ba3abeb/attachment.html>


More information about the Freeradius-Users mailing list