EAP-TLS not initializing

Ben Tucker h_bbit at hotmail.com
Thu Nov 6 15:28:54 CET 2014 

Sorry, forgot the debug output as well..

[root at lasamiq3 raddb]# radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/radius"
 main: libdir = "/usr/lib64"
 main: radacctdir = "/var/log/radius/radacct"
 main: hostname_lookups = no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: user = "radiusd"
 main: group = "radiusd"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib64
Module: Loaded exec 
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec) 
Module: Loaded expr 
Module: Instantiated expr (expr) 
Module: Loaded PAP 
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap) 
Module: Loaded CHAP 
Module: Instantiated chap (chap) 
Module: Loaded MS-CHAP 
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap) 
Module: Loaded System 
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "/etc/shadow"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix) 
Module: Loaded eap 
 eap: default_eap_type = "tls"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/etc/raddb/certs/radius-priv-key.pem"
 tls: certificate_file = "/etc/raddb/certs/radius-priv-cert.pem"
 tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem"
 tls: private_key_password = "mercury"
 tls: dh_file = "/etc/raddb/certs/dh"
 tls: random_file = "/etc/raddb/certs/random"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "(null)"
 tls: cipher_list = "(null)"
 tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
rlm_eap_tls: Error reading certificate file
rlm_eap: Failed to initialize type tls
radiusd.conf[10]: eap: Module instantiation failed. 
radiusd.conf[1940] Unknown module "eap".
radiusd.conf[1887] Failed to parse authenticate section. 

> Date: Thu, 6 Nov 2014 09:08:20 -0500
> From: aland at deployingradius.com
> To: freeradius-users at lists.freeradius.org
> Subject: Re: EAP-TLS not initializing
> 
> Ben Tucker wrote:
> > Not a very affluent Linux user here but this issue is beyond me.  I
> > think its something simple to solve but can't figure it out for the life
> > of me.  When running radius in debug mode it is giving me a permission
> > denied message when trying to load the certificates.  The certs are
> > there in the correct directory.  What else am I missing here?
> 
>   The permissions are wrong.
> 
>   For one, you're using version 1.  Don't.  Upgrade to 2.2.5.
> 
> > [root at lasamiq3 raddb]# dir -l certs
> > total 64
> > -rw-r--rwx 1 root radiusd  721 Dec  4  2009 cert-clt.der
> 
>   Uh... you do realize that's bad, right?
> 
>   The files should NOT be readable and writable by everyone on the
> system.  They should NOT be executable.
> 
>   You went out of your way to break the server.  Don't do that.  The
> default permissions are correct.
> 
>   You need to do the following as root:
> 
> cd /etc/raddb
> chmod -R -x .
> chmod -R o-rw .
> 
>   And don't break the server.  It causes problems.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141106/dc6b52f9/attachment-0001.html>

More information about the Freeradius-Users mailing list