Freeradius with lets encrypt certificate
André
netriver at gmail.com
Tue Dec 29 17:45:19 CET 2020
In attachment.
On Tue, Dec 29, 2020 at 4:36 PM Michael Schwartzkopff <ms at sys4.de> wrote:
> On 29.12.20 17:23, André wrote:
> > freeradius cloned from github:
> > https://github.com/FreeRADIUS/freeradius-server
> >
> > Tue Dec 29 14:31:40 2020: tls - Failed verifying chain:
> error:1414C086:SSL
> > routines:ssl_build_cert_chain:certificate verify failed:Verify
> error:unable
> > to get issuer certificate
> > Tue Dec 29 14:31:40 2020: rlm_eap_ttls - Failed initializing SSL context
> > Tue Dec 29 14:31:40 2020:
> > /usr/local/freeradius/etc/raddb/mods-enabled/eap[1031]: Instantiation
> > failed for module "eap.ttls"
> >
> > I'm using a let's encrypt certificate , but I'm getting this error
> message.
> >
> > What should the files I should be using for the cert?
> >
> > Best regards,
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> hi,
>
>
> It seems that you do not have installed the CA of Let's encrypt.
>
>
> what is the output of freeradius -X
>
>
> Mit freundlichen Grüßen,
>
> --
>
> [*] sys4 AG
>
> https://sys4.de, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG,80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian Kirstein
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-------------- next part --------------
Info : FreeRADIUS Version 4.0.0
Info : Copyright 1999-2020 The FreeRADIUS server project and contributors
Info : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Info : PARTICULAR PURPOSE
Info : You may redistribute copies of FreeRADIUS under the terms of the
Info : GNU General Public License
Info : For more information about these matters, see the file named COPYRIGHT
Info : Starting - reading configuration files ...
Debug : Including dictionary file "/usr/local/freeradius/etc/raddb/dictionary"
Debug : including configuration file /usr/local/freeradius/etc/raddb/radiusd.conf
Debug : Including files in directory "/usr/local/freeradius/etc/raddb/template.d/"
Debug : including configuration file /usr/local/freeradius/etc/raddb/template.d/default
Debug : including configuration file /usr/local/freeradius/etc/raddb/clients.conf
Debug : Including files in directory "/usr/local/freeradius/etc/raddb/mods-enabled/"
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/always
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/attr_filter
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/cache_eap
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/chap
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/client
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/delay
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/detail
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/detail.log
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/dhcpv4
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/digest
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/eap
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/eap_inner
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/echo
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/escape
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/exec
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/expiration
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/expr
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/files
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/ldap
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/linelog
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/logintime
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/mschap
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/ntlm_auth
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/pap
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/passwd
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/radutmp
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/soh
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/sradutmp
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/stats
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/unix
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/unpack
Debug : including configuration file /usr/local/freeradius/etc/raddb/mods-enabled/utf8
Debug : Including files in directory "/usr/local/freeradius/etc/raddb/policy.d/"
Debug : including configuration file /usr/local/freeradius/etc/raddb/policy.d/abfab-tr
Debug : including configuration file /usr/local/freeradius/etc/raddb/policy.d/accounting
Debug : including configuration file /usr/local/freeradius/etc/raddb/policy.d/canonicalisation
Debug : including configuration file /usr/local/freeradius/etc/raddb/policy.d/control
Debug : including configuration file /usr/local/freeradius/etc/raddb/policy.d/cui
Debug : including configuration file /usr/local/freeradius/etc/raddb/policy.d/debug
Debug : including configuration file /usr/local/freeradius/etc/raddb/policy.d/dhcp
Debug : including configuration file /usr/local/freeradius/etc/raddb/policy.d/eap
Debug : including configuration file /usr/local/freeradius/etc/raddb/policy.d/filter
Debug : including configuration file /usr/local/freeradius/etc/raddb/policy.d/operator-name
Debug : including configuration file /usr/local/freeradius/etc/raddb/policy.d/tacacs
Debug : including configuration file /usr/local/freeradius/etc/raddb/policy.d/time
Debug : including configuration file /usr/local/freeradius/etc/raddb/policy.d/vendor
Debug : Including files in directory "/usr/local/freeradius/etc/raddb/sites-enabled/"
Debug : including configuration file /usr/local/freeradius/etc/raddb/sites-enabled/default
Info : Loaded module "proto_radius"
Debug : including configuration file /usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel
Debug : Parsing security rules to bootstrap UID / GID / chroot / etc.
Debug : main {
Debug : prefix = /usr/local/freeradius
Debug : security {
Debug : allow_core_dumps = no
Debug : allow_vulnerable_openssl = no
Debug : openssl_fips_mode = no
Debug : }
Debug : name = radiusd
Debug : local_state_dir = "/usr/local/freeradius/var"
Debug : run_dir = /usr/local/freeradius/var/run/radiusd
Debug : }
Debug : Parsing main configuration.
Debug : main {
Debug : server default {
Debug : namespace = radius
Debug : listen {
Debug : type = Access-Request
Info : Loaded module "proto_radius_auth"
Debug : Access-Request {
Debug : log {
Debug : stripped_names = no
Debug : auth = yes
Debug : auth_badpass = no
Debug : auth_goodpass = no
Debug : msg_denied = "You are already logged in - access denied"
Debug : }
Debug : session {
Debug : timeout = 15
Debug : max = 4096
Debug : }
Debug : }
Debug : type = Status-Server
Info : Loaded module "proto_radius_status"
Debug : transport = udp
Info : Loaded module "proto_radius_udp"
Debug : udp {
Debug : ipaddr = *
Debug : port = 1812
Debug : networks {
Debug : allow = 127/8
Debug : allow = 192.168.31/24
Debug : }
Debug : max_packet_size = 4096
Debug : max_attributes = 255
Debug : }
Debug : limit {
Debug : cleanup_delay = 5
Debug : idle_timeout = 60
Debug : nak_lifetime = 30
Debug : max_connections = 256
Debug : max_clients = 256
Debug : max_pending_packets = 256
Debug : }
Debug : priority {
Debug : Access-Request = high
Debug : Accounting-Request = low
Debug : CoA-Request = normal
Debug : Disconnect-Request = low
Debug : Status-Server = now
Debug : }
Debug : }
Debug : listen {
Debug : type = Access-Request
Debug : Access-Request {
Debug : log {
Debug : stripped_names = no
Debug : auth = yes
Debug : auth_badpass = no
Debug : auth_goodpass = no
Debug : msg_denied = "You are already logged in - access denied"
Debug : }
Debug : session {
Debug : timeout = 15
Debug : max = 4096
Debug : }
Debug : }
Debug : type = Status-Server
Debug : transport = tcp
Info : Loaded module "proto_radius_tcp"
Debug : tcp {
Debug : ipaddr = *
Debug : port = 1812
Debug : networks {
Debug : allow = 127/8
Debug : allow = 192.168.31/24
Debug : }
Debug : max_packet_size = 4096
Debug : max_attributes = 255
Debug : }
Debug : limit {
Debug : cleanup_delay = 5
Debug : idle_timeout = 30
Debug : nak_lifetime = 30
Debug : max_connections = 1024
Debug : max_clients = 256
Debug : max_pending_packets = 256
Debug : }
Debug : priority {
Debug : Access-Request = high
Debug : Accounting-Request = low
Debug : CoA-Request = normal
Debug : Disconnect-Request = low
Debug : Status-Server = now
Debug : }
Debug : }
Debug : listen {
Debug : type = Accounting-Request
Info : Loaded module "proto_radius_acct"
Debug : transport = udp
Debug : udp {
Debug : ipaddr = *
Debug : port = 1813
Debug : networks {
Debug : }
Debug : max_packet_size = 4096
Debug : max_attributes = 255
Debug : }
Debug : limit {
Debug : cleanup_delay = 5
Debug : idle_timeout = 30
Debug : nak_lifetime = 30
Debug : max_connections = 1024
Debug : max_clients = 256
Debug : max_pending_packets = 256
Debug : }
Debug : priority {
Debug : Access-Request = high
Debug : Accounting-Request = low
Debug : CoA-Request = normal
Debug : Disconnect-Request = low
Debug : Status-Server = now
Debug : }
Debug : }
Debug : }
Debug : server inner-tunnel {
Debug : namespace = radius
Debug : listen {
Debug : type = Access-Request
Debug : Access-Request {
Debug : log {
Debug : stripped_names = no
Debug : auth = no
Debug : auth_badpass = no
Debug : auth_goodpass = no
Debug : msg_denied = "You are already logged in - access denied"
Debug : }
Debug : session {
Debug : timeout = 15
Debug : max = 4096
Debug : }
Debug : }
Debug : transport = udp
Debug : udp {
Debug : ipaddr = 127.0.0.1
Debug : port = 18120
Debug : networks {
Debug : }
Debug : max_packet_size = 4096
Debug : max_attributes = 255
Debug : }
Debug : limit {
Debug : cleanup_delay = 5
Debug : idle_timeout = 30
Debug : nak_lifetime = 30
Debug : max_connections = 1024
Debug : max_clients = 256
Debug : max_pending_packets = 256
Debug : }
Debug : priority {
Debug : Access-Request = high
Debug : Accounting-Request = low
Debug : CoA-Request = normal
Debug : Disconnect-Request = low
Debug : Status-Server = now
Debug : }
Debug : }
Debug : }
Debug : security {
Debug : }
Debug : sbin_dir = "/usr/local/freeradius/sbin"
Debug : logdir = /usr/local/freeradius/var/log/radius
Debug : radacctdir = /usr/local/freeradius/var/log/radius/radacct
Debug : reverse_lookups = no
Debug : hostname_lookups = yes
Debug : max_request_time = 30
Debug : pidfile = /usr/local/freeradius/var/run/radiusd/radiusd.pid
Debug : debug_level = 0
Debug : max_requests = 16384
Debug : log {
Debug : colourise = yes
Debug : }
Debug : resources {
Debug : }
Debug : thread pool {
Debug : num_networks = 1
Debug : num_workers = 4
Debug : }
Debug : }
Info : Switching to configured log settings
Debug : radiusd: #### Loading Clients ####
Debug : client localhost {
Debug : ipaddr = 127.0.0.1
Debug : require_message_authenticator = no
Debug : secret = <<< secret >>>
Debug : proto = *
Debug : limit {
Debug : max_connections = 16
Debug : lifetime = 0
Debug : idle_timeout = 30
Debug : }
Debug : }
Debug : client localhost_ipv6 {
Debug : ipv6addr = ::1
Debug : require_message_authenticator = no
Debug : secret = <<< secret >>>
Debug : limit {
Debug : max_connections = 16
Debug : lifetime = 0
Debug : idle_timeout = 30
Debug : }
Debug : }
Debug : client private-network-1 {
Debug : ipaddr = 192.168.31.0/24
Debug : require_message_authenticator = no
Debug : secret = <<< secret >>>
Debug : limit {
Debug : max_connections = 16
Debug : lifetime = 0
Debug : idle_timeout = 30
Debug : }
Debug : }
Info : Debugger not attached
Warn : trigger { ... } subsection not found, triggers will be disabled
Debug : #### Bootstrapping listeners ####
Debug : client localhost {
Debug : ipaddr = 192.0.2.1
Debug : require_message_authenticator = no
Debug : secret = <<< secret >>>
Debug : shortname = sample
Debug : limit {
Debug : max_connections = 16
Debug : lifetime = 0
Debug : idle_timeout = 30
Debug : }
Debug : }
Debug : Creating Auth-Type = pap
Debug : Creating Auth-Type = chap
Debug : Creating Auth-Type = mschap
Debug : Creating Auth-Type = digest
Debug : Creating Auth-Type = ldap
Debug : Creating Auth-Type = eap
Debug : #### Bootstrapping modules ####
Debug : modules {
Info : Loaded module "rlm_always"
Debug : always reject {
Debug : rcode = reject
Debug : simulcount = 0
Debug : mpp = no
Debug : }
Debug : Bootstrapping module "reject"
Debug : always fail {
Debug : rcode = fail
Debug : simulcount = 0
Debug : mpp = no
Debug : }
Debug : Bootstrapping module "fail"
Debug : always ok {
Debug : rcode = ok
Debug : simulcount = 0
Debug : mpp = no
Debug : }
Debug : Bootstrapping module "ok"
Debug : always handled {
Debug : rcode = handled
Debug : simulcount = 0
Debug : mpp = no
Debug : }
Debug : Bootstrapping module "handled"
Debug : always invalid {
Debug : rcode = invalid
Debug : simulcount = 0
Debug : mpp = no
Debug : }
Debug : Bootstrapping module "invalid"
Debug : always disallow {
Debug : rcode = disallow
Debug : simulcount = 0
Debug : mpp = no
Debug : }
Debug : Bootstrapping module "disallow"
Debug : always notfound {
Debug : rcode = notfound
Debug : simulcount = 0
Debug : mpp = no
Debug : }
Debug : Bootstrapping module "notfound"
Debug : always noop {
Debug : rcode = noop
Debug : simulcount = 0
Debug : mpp = no
Debug : }
Debug : Bootstrapping module "noop"
Debug : always updated {
Debug : rcode = updated
Debug : simulcount = 0
Debug : mpp = no
Debug : }
Debug : Bootstrapping module "updated"
Info : Loaded module "rlm_attr_filter"
Debug : attr_filter attr_filter.pre-proxy {
Debug : filename = /usr/local/freeradius/etc/raddb/mods-config/attr_filter/pre-proxy
Debug : key = "%{Realm}"
Debug : relaxed = no
Debug : }
Debug : attr_filter attr_filter.post-proxy {
Debug : filename = /usr/local/freeradius/etc/raddb/mods-config/attr_filter/post-proxy
Debug : key = "%{Realm}"
Debug : relaxed = no
Debug : }
Debug : attr_filter attr_filter.access_reject {
Debug : filename = /usr/local/freeradius/etc/raddb/mods-config/attr_filter/access_reject
Debug : key = "%{User-Name}"
Debug : relaxed = no
Debug : }
Debug : attr_filter attr_filter.access_challenge {
Debug : filename = /usr/local/freeradius/etc/raddb/mods-config/attr_filter/access_challenge
Debug : key = "%{User-Name}"
Debug : relaxed = no
Debug : }
Debug : attr_filter attr_filter.accounting_response {
Debug : filename = /usr/local/freeradius/etc/raddb/mods-config/attr_filter/accounting_response
Debug : key = "%{User-Name}"
Debug : relaxed = no
Debug : }
Info : Loaded module "rlm_cache"
Debug : cache cache_eap {
Debug : driver = "rlm_cache_rbtree"
Debug : key = "%{%{control.State}:-%{%{reply.State}:-%{State}}}"
Debug : ttl = 15
Debug : max_entries = 0
Debug : epoch = 0
Debug : add_stats = no
Debug : }
Debug : Bootstrapping module "cache_eap"
Info : Loaded module "rlm_cache_rbtree"
Info : Loaded module "rlm_chap"
Debug : Bootstrapping module "chap"
Info : Loaded module "rlm_client"
Debug : Bootstrapping module "client"
Info : Loaded module "rlm_delay"
Debug : delay {
Debug : delay = 1.0
Debug : relative = no
Debug : force_reschedule = no
Debug : }
Debug : Bootstrapping module "delay"
Debug : delay delay_reject {
Debug : delay = "%{%{reply.FreeRADIUS-Response-Delay}:-1}"
Debug : relative = yes
Debug : force_reschedule = no
Debug : }
Debug : Bootstrapping module "delay_reject"
Info : Loaded module "rlm_detail"
Debug : detail {
Debug : filename = /usr/local/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y-%m-%d
Debug : header = "%t"
Debug : permissions = 384
Debug : locking = no
Debug : escape_filenames = no
Debug : log_packet_header = no
Debug : }
Debug : detail auth_log {
Debug : filename = /usr/local/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y-%m-%d
Debug : header = "%t"
Debug : permissions = 384
Debug : locking = no
Debug : escape_filenames = no
Debug : log_packet_header = no
Debug : }
Debug : detail reply_log {
Debug : filename = /usr/local/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y-%m-%d
Debug : header = "%t"
Debug : permissions = 384
Debug : locking = no
Debug : escape_filenames = no
Debug : log_packet_header = no
Debug : }
Debug : detail pre_proxy_log {
Debug : filename = /usr/local/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y-%m-%d
Debug : header = "%t"
Debug : permissions = 384
Debug : locking = no
Debug : escape_filenames = no
Debug : log_packet_header = no
Debug : }
Debug : detail post_proxy_log {
Debug : filename = /usr/local/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y-%m-%d
Debug : header = "%t"
Debug : permissions = 384
Debug : locking = no
Debug : escape_filenames = no
Debug : log_packet_header = no
Debug : }
Info : Loaded module "rlm_dhcpv4"
Info : Loaded module "rlm_digest"
Debug : Bootstrapping module "digest"
Info : Loaded module "rlm_eap"
Debug : eap {
Debug : default_eap_type = ttls
Debug : type = gtc
Debug : type = ttls
Debug : ignore_unknown_eap_types = no
Debug : cisco_accounting_username_bug = no
Debug : }
Debug : Bootstrapping module "eap"
Info : Loaded module "rlm_eap_gtc"
Debug : gtc {
Debug : challenge = "Password: "
Debug : auth_type = PAP
Debug : }
Info : Loaded module "rlm_eap_ttls"
Debug : ttls {
Debug : tls = tls-common
Debug : virtual_server = "default"
Debug : include_length = yes
Debug : require_client_cert = no
Debug : }
Debug : eap inner-eap {
Debug : default_eap_type = mschapv2
Debug : type = gtc
Debug : ignore_unknown_eap_types = no
Debug : cisco_accounting_username_bug = no
Debug : }
Debug : Bootstrapping module "inner-eap"
Debug : gtc {
Debug : challenge = "Password: "
Debug : auth_type = PAP
Debug : }
Info : Loaded module "rlm_exec"
Debug : exec echo {
Debug : wait = yes
Debug : program = "/bin/echo %{User-Name}"
Debug : input_pairs = request
Debug : output_pairs = reply
Debug : shell_escape = yes
Debug : }
Debug : Bootstrapping module "echo"
Info : Loaded module "rlm_escape"
Debug : escape {
Debug : safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
Debug : }
Debug : Bootstrapping module "escape"
Debug : exec {
Debug : wait = yes
Debug : input_pairs = request
Debug : shell_escape = yes
Debug : timeout = 10
Debug : }
Debug : Bootstrapping module "exec"
Info : Loaded module "rlm_expiration"
Info : Loaded module "rlm_expr"
Debug : Bootstrapping module "expr"
Info : Loaded module "rlm_files"
Debug : files {
Debug : filename = /usr/local/freeradius/etc/raddb/mods-config/files/authorize
Debug : acctusersfile = /usr/local/freeradius/etc/raddb/mods-config/files/accounting
Debug : key = "%{%{Stripped-User-Name}:-%{User-Name}}"
Debug : }
Info : global - ldap - libldap vendor: OpenLDAP, version: 20447
Info : global - ldap - extension: X_OPENLDAP
Info : global - ldap - extension: THREAD_SAFE
Info : global - ldap - extension: SESSION_THREAD_SAFE
Info : global - ldap - extension: OPERATION_THREAD_SAFE
Info : global - ldap - extension: X_OPENLDAP_THREAD_SAFE
Info : Loaded module "rlm_ldap"
Debug : ldap {
Debug : server = 'server.ldapp.com'
Debug : port = 389
Debug : identity = 'uid=api.readonly at a-domain.com,dc=server,dc=ldapp,dc=com'
Debug : password = <<< secret >>>
Debug : sasl {
Debug : }
Debug : session_tracking = no
Debug : edir_autz = yes
Debug : user {
Debug : filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
Debug : scope = "sub"
Debug : base_dn = "ou=users,dc=server,dc=ldapp,dc=com"
Debug : access_positive = yes
Debug : sasl {
Debug : }
Debug : }
Debug : group {
Debug : filter = '(objectClass=posixGroup)'
Debug : scope = "sub"
Debug : base_dn = "ou=users,dc=server,dc=ldapp,dc=com"
Debug : name_attribute = "cn"
Debug : membership_attribute = 'memberOf'
Debug : cacheable_name = no
Debug : cacheable_dn = no
Debug : group_attribute = "ldap-Group"
Debug : allow_dangling_group_ref = no
Debug : }
Debug : profile {
Debug : filter = '(&)'
Debug : }
Debug : options {
Debug : chase_referrals = yes
Debug : use_referral_credentials = no
Debug : rebind = yes
Debug : idle = 60
Debug : probes = 3
Debug : interval = 3
Debug : srv_timelimit = 3
Debug : res_timeout = 10
Debug : }
Debug : global {
Debug : ldap_debug = 0
Debug : }
Debug : tls {
Debug : start_tls = yes
Debug : require_cert = 'allow'
Debug : tls_min_version = "1.2"
Debug : }
Debug : }
Debug : Bootstrapping module "ldap"
Debug : Creating attribute ldap-Group
Info : Loaded module "rlm_linelog"
Debug : linelog {
Debug : destination = file
Debug : delimiter = "\n"
Debug : format = "This is a log message for %{User-Name}"
Debug : reference = "messages.%{%{reply.Packet-Type}:-default}"
Debug : file {
Debug : filename = /usr/local/freeradius/var/log/radius/linelog
Debug : permissions = 384
Debug : escape_filenames = no
Debug : }
Debug : syslog {
Debug : severity = "info"
Debug : }
Debug : unix {
Debug : }
Debug : tcp {
Debug : server = localhost IPv4 address [127.0.0.1]
Debug : port = 514
Debug : timeout = 2
Debug : }
Debug : udp {
Debug : server = localhost IPv4 address [127.0.0.1]
Debug : port = 514
Debug : timeout = 2
Debug : }
Debug : }
Debug : linelog log_accounting {
Debug : destination = file
Debug : delimiter = "\n"
Debug : format = ""
Debug : reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
Debug : file {
Debug : filename = /usr/local/freeradius/var/log/radius/linelog-accounting
Debug : permissions = 384
Debug : escape_filenames = no
Debug : }
Debug : syslog {
Debug : severity = "info"
Debug : }
Debug : unix {
Debug : }
Debug : tcp {
Debug : timeout = 1000
Debug : }
Debug : udp {
Debug : timeout = 1000
Debug : }
Debug : }
Info : Loaded module "rlm_logintime"
Debug : logintime {
Debug : minimum_timeout = 60
Debug : }
Info : Loaded module "rlm_mschap"
Debug : mschap {
Debug : normalise = yes
Debug : use_mppe = yes
Debug : require_encryption = no
Debug : require_strong = no
Debug : with_ntdomain_hack = yes
Debug : passchange {
Debug : }
Debug : allow_retry = yes
Debug : winbind {
Debug : }
Debug : }
Debug : Bootstrapping module "mschap"
Debug : exec ntlm_auth {
Debug : wait = yes
Debug : program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
Debug : shell_escape = yes
Debug : }
Debug : Bootstrapping module "ntlm_auth"
Info : Loaded module "rlm_pap"
Debug : pap {
Debug : normalise = yes
Debug : }
Debug : Bootstrapping module "pap"
Info : Loaded module "rlm_passwd"
Debug : passwd etc_passwd {
Debug : filename = /etc/passwd
Debug : format = "*User-Name:Crypt-Password:"
Debug : delimiter = ":"
Debug : ignore_nislike = no
Debug : ignore_empty = yes
Debug : allow_multiple_keys = no
Debug : hash_size = 100
Debug : }
Info : Loaded module "rlm_radutmp"
Debug : radutmp {
Debug : filename = /usr/local/freeradius/var/log/radius/radutmp
Debug : username = "%{User-Name}"
Debug : check_with_nas = yes
Debug : permissions = 384
Debug : caller_id = no
Debug : }
Info : Loaded module "rlm_soh"
Debug : soh {
Debug : dhcp = yes
Debug : }
Debug : Bootstrapping module "soh"
Debug : radutmp sradutmp {
Debug : filename = /usr/local/freeradius/var/log/radius/sradutmp
Debug : username = "%{User-Name}"
Debug : check_with_nas = yes
Debug : permissions = 420
Debug : caller_id = no
Debug : }
Info : Loaded module "rlm_stats"
Debug : stats {
Debug : }
Info : Loaded module "rlm_unix"
Debug : unix {
Debug : }
Debug : Bootstrapping module "unix"
Debug : Creating attribute Unix-Group
Info : Loaded module "rlm_unpack"
Debug : Bootstrapping module "unpack"
Info : Loaded module "rlm_utf8"
Debug : instantiate {
Debug : }
Debug : } # modules
Debug : #### Instantiating listeners ####
Debug : Compiling policies in server default { ... }
Debug : Compiling policies in - recv Access-Request {...}
Debug : Compiling policies in - send Access-Accept {...}
Warn : /usr/local/freeradius/etc/raddb/sites-enabled/default[1215]: Ignoring "-sql" as the "sql" module is not enabled.
Warn : /usr/local/freeradius/etc/raddb/policy.d/eap[78]: Please use the 'filter' keyword for attribute filtering
Debug : Compiling policies in - send Access-Challenge {...}
Debug : Compiling policies in - send Access-Reject {...}
Warn : /usr/local/freeradius/etc/raddb/sites-enabled/default[1339]: Ignoring "-sql" as the "sql" module is not enabled.
Warn : /usr/local/freeradius/etc/raddb/policy.d/eap[78]: Please use the 'filter' keyword for attribute filtering
Debug : Compiling policies in - authenticate pap {...}
Debug : Compiling policies in - authenticate chap {...}
Debug : Compiling policies in - authenticate mschap {...}
Debug : Compiling policies in - authenticate digest {...}
Debug : Compiling policies in - authenticate ldap {...}
Debug : Compiling policies in - authenticate eap {...}
Debug : Compiling policies in - recv Status-Server {...}
Debug : Compiling policies in - recv Accounting-Request {...}
Debug : Compiling policies in - send Accounting-Response {...}
Warn : /usr/local/freeradius/etc/raddb/sites-enabled/default[1558]: Ignoring "-sql" as the "sql" module is not enabled.
Debug : Compiling policies in - accounting Start {...}
Debug : Compiling policies in - accounting Stop {...}
Debug : Compiling policies in - accounting Alive {...}
Debug : Compiling policies in - accounting Accounting-On {...}
Debug : Compiling policies in - accounting Accounting-Off {...}
Debug : Compiling policies in - accounting Failed {...}
Debug : Compiling policies in server inner-tunnel { ... }
Debug : Compiling policies in - recv Access-Request {...}
Warn : /usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel[124]: Ignoring "-sql" as the "sql" module is not enabled.
Debug : Compiling policies in - send Access-Accept {...}
Warn : /usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel[269]: Ignoring "-sql" as the "sql" module is not enabled.
Debug : Compiling policies in - send Access-Reject {...}
Warn : /usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel[304]: Ignoring "-sql" as the "sql" module is not enabled.
Debug : Compiling policies in - authenticate pap {...}
Debug : Compiling policies in - authenticate chap {...}
Debug : Compiling policies in - authenticate mschap {...}
Debug : Compiling policies in - authenticate eap {...}
Debug : #### Instantiating modules ####
Debug : Instantiating module "attr_filter.access_challenge"
Debug : Reading file /usr/local/freeradius/etc/raddb/mods-config/attr_filter/access_challenge
Debug : Instantiating module "attr_filter.access_reject"
Debug : Reading file /usr/local/freeradius/etc/raddb/mods-config/attr_filter/access_reject
Debug : Instantiating module "attr_filter.accounting_response"
Debug : Reading file /usr/local/freeradius/etc/raddb/mods-config/attr_filter/accounting_response
Debug : Instantiating module "attr_filter.post-proxy"
Debug : Reading file /usr/local/freeradius/etc/raddb/mods-config/attr_filter/post-proxy
Debug : Instantiating module "attr_filter.pre-proxy"
Debug : Reading file /usr/local/freeradius/etc/raddb/mods-config/attr_filter/pre-proxy
Debug : Instantiating module "auth_log"
Debug : rlm_detail (auth_log) - 'User-Password' suppressed, will not appear in detail output
Debug : Instantiating module "cache_eap"
Debug : Instantiating module "chap"
Debug : Instantiating module "detail"
Debug : Instantiating module "digest"
Debug : Instantiating module "disallow"
Debug : Instantiating module "eap"
Debug : Instantiating module "echo"
Debug : Instantiating module "etc_passwd"
Debug : Instantiating module "exec"
Debug : Instantiating module "expiration"
Debug : Instantiating module "fail"
Debug : Instantiating module "files"
Debug : Reading file /usr/local/freeradius/etc/raddb/mods-config/files/authorize
Debug : Reading file /usr/local/freeradius/etc/raddb/mods-config/files/accounting
Debug : Instantiating module "handled"
Debug : Instantiating module "inner-eap"
Warn : rlm_eap (inner-eap) - Failed to find 'authenticate inner-eap {...}' section. EAP authentication will likely not work
Debug : Instantiating module "invalid"
Debug : Instantiating module "ldap"
Debug : accounting {
Debug : reference = "%{tolower:type.%{Acct-Status-Type}}"
Debug : }
Debug : post-auth {
Debug : reference = "."
Debug : }
Debug : rlm_ldap (ldap) - Initialising connection pool
Debug : pool {
Debug : start = 4
Debug : min = 4
Debug : max = 4
Debug : max_pending = 0
Debug : spare = 1
Debug : uses = 0
Debug : lifetime = 0
Debug : cleanup_interval = 30
Debug : idle_timeout = 60
Debug : connect_timeout = 3
Debug : held_trigger_min = 0
Debug : held_trigger_max = 0.5
Debug : retry_delay = 30
Debug : spread = no
Debug : }
Warn : rlm_ldap (ldap) - Ignoring "spare = 1", forcing to "spare = 0"
Debug : rlm_ldap (ldap) - Opening additional connection (0), 1 of 4 pending slots used
Debug : rlm_ldap (ldap) - Waiting for bind result...
Debug : rlm_ldap (ldap) - Bind successful
Debug : rlm_ldap (ldap) - Performing search in "" with filter "(objectclass=*)", scope "base"
Debug : rlm_ldap (ldap) - Waiting for search result...
Info : rlm_ldap (ldap) - Directory vendor: Okta Inc.
Info : rlm_ldap (ldap) - Directory version: 1.0.0
Info : rlm_ldap (ldap) - Directory type: Unknown
Debug : rlm_ldap (ldap) - Opening additional connection (1), 1 of 3 pending slots used
Debug : rlm_ldap (ldap) - Waiting for bind result...
Debug : rlm_ldap (ldap) - Bind successful
Debug : rlm_ldap (ldap) - Performing search in "" with filter "(objectclass=*)", scope "base"
Debug : rlm_ldap (ldap) - Waiting for search result...
Info : rlm_ldap (ldap) - Directory vendor: Okta Inc.
Info : rlm_ldap (ldap) - Directory version: 1.0.0
Info : rlm_ldap (ldap) - Directory type: Unknown
Debug : rlm_ldap (ldap) - Opening additional connection (2), 1 of 2 pending slots used
Debug : rlm_ldap (ldap) - Waiting for bind result...
Debug : rlm_ldap (ldap) - Bind successful
Debug : rlm_ldap (ldap) - Performing search in "" with filter "(objectclass=*)", scope "base"
Debug : rlm_ldap (ldap) - Waiting for search result...
Info : rlm_ldap (ldap) - Directory vendor: Okta Inc.
Info : rlm_ldap (ldap) - Directory version: 1.0.0
Info : rlm_ldap (ldap) - Directory type: Unknown
Debug : rlm_ldap (ldap) - Opening additional connection (3), 1 of 1 pending slots used
Debug : rlm_ldap (ldap) - Waiting for bind result...
Debug : rlm_ldap (ldap) - Bind successful
Debug : rlm_ldap (ldap) - Performing search in "" with filter "(objectclass=*)", scope "base"
Debug : rlm_ldap (ldap) - Waiting for search result...
Info : rlm_ldap (ldap) - Directory vendor: Okta Inc.
Info : rlm_ldap (ldap) - Directory version: 1.0.0
Info : rlm_ldap (ldap) - Directory type: Unknown
Debug : Instantiating module "linelog"
Debug : Instantiating module "log_accounting"
Debug : Instantiating module "logintime"
Debug : Instantiating module "mschap"
Debug : rlm_mschap (mschap) - Using internal authentication
Debug : Instantiating module "noop"
Debug : Instantiating module "notfound"
Debug : Instantiating module "ntlm_auth"
Debug : Instantiating module "ok"
Debug : Instantiating module "pap"
Debug : Instantiating module "post_proxy_log"
Debug : Instantiating module "pre_proxy_log"
Debug : Instantiating module "reject"
Debug : Instantiating module "reply_log"
Debug : Instantiating module "stats"
Debug : Instantiating module "updated"
Debug : Instantiating module "cache_eap.rbtree"
Debug : Instantiating module "eap.ttls"
Debug : tls-config tls-common {
Debug : auto_chain = no
Debug : chain rsa {
Debug : format = PEM
Debug : certificate_file = /usr/local/freeradius/etc/raddb/certs/rsa/fullchain14.pem
Debug : private_key_file = /usr/local/freeradius/etc/raddb/certs/rsa/privkey14.pem
Debug : ca_file = /usr/local/freeradius/etc/raddb/certs/rsa/fullchain14.pem
Debug : verify_mode = hard
Debug : include_root_ca = no
Debug : }
Debug : verify_depth = 0
Debug : ca_path = /usr/local/freeradius/etc/raddb/certs
Debug : ca_file = /usr/local/freeradius/etc/raddb/certs/rsa/chain.pem
Debug : dh_file = /usr/local/freeradius/etc/raddb/certs/dh
Debug : fragment_size = 1024
Debug : check_crl = no
Debug : cipher_list = "DEFAULT"
Debug : cipher_server_preference = yes
Debug : allow_renegotiation = no
Debug : ecdh_curve = prime256v1
Debug : tls_min_version = 1.200000
Debug : cache {
Debug : name = "%{EAP-Type}%{Virtual-Server}"
Debug : lifetime = 86400
Debug : verify = no
Debug : require_extended_master_secret = yes
Debug : require_perfect_forward_secrecy = no
Debug : }
Debug : verify {
Debug : }
Debug : ocsp {
Debug : enable = no
Debug : override_cert_url = yes
Debug : url = "http://127.0.0.1/ocsp/"
Debug : use_nonce = yes
Debug : timeout = 0
Debug : softfail = no
Debug : }
Debug : staple {
Debug : enable = no
Debug : override_cert_url = yes
Debug : url = "http://127.0.0.1/ocsp/"
Debug : use_nonce = yes
Debug : timeout = 0
Debug : softfail = no
Debug : }
Debug : }
Error : tls - Failed verifying chain: error:1414C086:SSL routines:ssl_build_cert_chain:certificate verify failed:Verify error:unable to get issuer certificate
Error : rlm_eap_ttls - Failed initializing SSL context
Error : /usr/local/freeradius/etc/raddb/mods-enabled/eap[1031]: Instantiation failed for module "eap.ttls"
Debug : rlm_ldap (ldap) - Removing connection pool
Info : rlm_ldap (ldap) - Closing connection (3)
Info : rlm_ldap (ldap) - Closing connection (2)
Info : rlm_ldap (ldap) - Closing connection (1)
Info : rlm_ldap (ldap) - Closing connection (0)
More information about the Freeradius-Users
mailing list