Resolution (was: Re: "WARNING: !! EAP session for state ... did not finish!", And Other Warnings)
Jim Seymour
jseymour at LinxNet.com
Wed Oct 7 16:13:05 CEST 2015
On Sat, 3 Oct 2015 17:03:55 +0100
Nick Lowe <nick.lowe at gmail.com> wrote:
> There's a good link here too:
>
> https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations
Thanks, Nick. I'd already covered all the bases mentioned there,
except for AltName, which does not appear necessary for my purposes.
I tried everything recommended here, including wiping everything out
and reinstalling from scratch. Two or three times. And including using
all the "official" docs, guides and directions I could find.
Side note: Attempting to use the certs created by the FreeRADIUS
Makefile would not allow OpenLDAP to run. Nor could I persuade
"openssl verify ..." to validate the certificate chain, no matter
what I did.
Altering /etc/ssl/openssl.cnf to include the appropriate attributes and
using CA.pl with -newca/-newcert-nodes/-sign produced certificates
indistinguishable from those produced by the FreeRADIUS certs Makefile
(examining them with "openssl x509 -noout -text -in <file>"), except
both OpenLDAP and "openssl verify ..." were happy with those certs.
However they made no difference in the behaviour of FreeRADIUS or the
MS-Win7 PC.
Enough, already.
1.1.1 has been working on the server being replaced, so I downloaded
source tarballs of everything from 1.1.1 thru 1.1.8 (the link for 1.1.8
on the download page is broken, btw), and started building,
(re-)installing and testing.
Note: Had to add "#define lt__PROGRAM__LTX_preloaded_symbols
lt_libltdl_LTX_preloaded_symbols" (note line wrap) to the
top of src/main/modules.c to work around a bug in libltdl.
Results:
1.1.3 worked right out of the gate, using the config
files from the currently-running server, with slight
adjustment, and the new certs
1.1.8 did not work on the first attempt
1.1.4 worked, with slight config file changes
1.1.6 same as above
1.1.8 same as above
I don't understand why I've been unable to get 2.x.x going, but I've
beat my head against it long enough. There's a boat-load of other
stuff to install, configure and test on this server, and a ton of
projects backed-up behind this project. I must move on, so 1.1.8 is
what we'll be using.
Thanks, everybody, for your kind and patient assistance!
Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
More information about the Freeradius-Users
mailing list