freeradius eap error.

Jacob Jarick mem.namefix at gmail.com
Fri Apr 27 05:23:58 CEST 2007 

there is a script that comes with the freeradius source (perhaps bins
aswell) that generates you new certs.
for me the script is @
/usr/src/freeradius-1.1.6/scripts/CA.all

iirc that will generate you all the certs u need and read default
options from your openssl config file. You will have to copy across
your new certs once done (be sure to backup 1st).

good luck.

On 4/27/07, member alsuki <alsuki at opensuse.us> wrote:
> Hello, list.
>
> I'm having some problems implementing freeradius on opensuse box.
> I've followed the toturial at novell and as a test i've used the default CA
> and certs that camed  with the freeradius rpm.
> This worked very good the server started and  every thing seamed  nice.
> Then i made my own CA and certs,  1st a 4096 and then a 1024 bits, but no
> luck in either cases.
> Is there a limit to the length of the certs and CA keys?
> I've google to find if there was some info on this but no luck.
> Can anyone help me on this?
>
> This is a radiusd -X -A output.
>
> Starting - reading configuration files ...
> reread_config:  reading radiusd.conf
> Config:   including file: /etc/raddb/proxy.conf
> Config:   including file: /etc/raddb/clients.conf
> Config:   including file: /etc/raddb/snmp.conf
> Config:   including file: /etc/raddb/eap.conf
> Config:   including file: /etc/raddb/sql.conf
>  main: prefix = "/usr"
>  main: localstatedir = "/var"
>  main: logdir = "/var/log/radius"
>  main: libdir = "/usr/lib/freeradius"
>  main: radacctdir = "/var/log/radius/radacct"
>  main: hostname_lookups = no
>  main: max_request_time = 30
>  main: cleanup_delay = 5
>  main: max_requests = 1024
>  main: delete_blocked_requests = 0
>  main: port = 0
>  main: allow_core_dumps = no
>  main: log_stripped_names = no
>  main: log_file = "/var/log/radius/radius.log"
>  main: log_auth = no
>  main: log_auth_badpass = no
>  main: log_auth_goodpass = no
>  main: pidfile = "/var/run/radiusd/radiusd.pid"
>  main: bind_address = 10.10.0.1 IP address [10.10.0.1]
>  main: user = "radiusd"
>  main: group = "radiusd"
>  main: usercollide = no
>  main: lower_user = "no"
>  main: lower_pass = "no"
>  main: nospace_user = "no"
>  main: nospace_pass = "no"
>  main: checkrad = "/usr/sbin/checkrad"
>  main: proxy_requests = yes
>  proxy: retry_delay = 5
>  proxy: retry_count = 3
>  proxy: synchronous = no
>  proxy: default_fallback = yes
>  proxy: dead_time = 120
>  proxy: post_proxy_authorize = no
>  proxy: wake_all_if_all_dead = no
>  security: max_attributes = 200
>  security: reject_delay = 1
>  security: status_server = no
>  main: debug_level = 0
> read_config_files:  reading dictionary
> read_config_files:  reading naslist
> read_config_files:  reading clients
> read_config_files:  reading realms
> radiusd:  entering modules setup
> Module: Library search path is /usr/lib/freeradius
> Module: Loaded exec
>  exec: wait = yes
>  exec: program = "(null)"
>  exec: input_pairs = "request"
>   exec: output_pairs = "(null)"
>  exec: packet_type = "(null)"
> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> Module: Instantiated exec (exec)
> Module: Loaded expr
> Module: Instantiated expr (expr)
> Module: Loaded PAP
>  pap: encryption_scheme = "crypt"
> Module: Instantiated pap (pap)
> Module: Loaded CHAP
> Module: Instantiated chap (chap)
> Module: Loaded MS-CHAP
>  mschap: use_mppe = yes
>  mschap: require_encryption = yes
>  mschap: require_strong = yes
>  mschap: with_ntdomain_hack = no
>  mschap: passwd = "(null)"
>  mschap: ntlm_auth = "(null)"
> Module: Instantiated mschap (mschap)
> Module: Loaded System
>   unix: cache = no
>  unix: passwd = "(null)"
>  unix: shadow = "(null)"
>  unix: group = "(null)"
>  unix: radwtmp = "/var/log/radius/radwtmp"
>  unix: usegroup = no
>  unix: cache_reload = 600
> Module: Instantiated unix (unix)
> Module: Loaded eap
>  eap: default_eap_type = "peap"
>  eap: timer_expire = 60
>  eap: ignore_unknown_eap_types = no
>  eap: cisco_accounting_username_bug = no
> rlm_eap: Loaded and initialized type md5
> rlm_eap: Loaded and initialized type leap
>  gtc: challenge = "Password: "
>  gtc: auth_type = "PAP"
> rlm_eap: Loaded and initialized type gtc
>  tls: rsa_key_exchange = no
>  tls: dh_key_exchange = yes
>  tls: rsa_key_length = 512
>  tls: dh_key_length = 512
>  tls: verify_depth = 0
>  tls: CA_path = "(null)"
>  tls: pem_file_type = yes
>  tls: private_key_file = "/etc/raddb/certs/cert-srv.pem"
>  tls: certificate_file = "/etc/raddb/certs/cert-srv.pem"
>  tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem"
>  tls: private_key_password = "whatever"
>  tls: dh_file = "/etc/raddb/certs/dh"
>  tls: random_file = "/etc/raddb/certs/random"
>  tls: fragment_size = 1024
>  tls: include_length = yes
>  tls: check_crl = no
>  tls: check_cert_cn = "(null)"
>  tls: cipher_list = "(null)"
>  tls: check_cert_issuer = "(null)"
> rlm_eap_tls: Loading the certificate file as a chain
> rlm_eap: SSL error error:06065064:digital envelope
> routines:EVP_DecryptFinal_ex:bad decrypt
> rlm_eap_tls: Error reading private key file
> rlm_eap: Failed to initialize type tls
> radiusd.conf[10]: eap: Module instantiation failed.
> radiusd.conf[1941] Unknown module "eap".
> radiusd.conf[1888] Failed to parse authenticate section.
>
> Thanks for any help that may came from this list.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list