(RADIATOR) OK, I'm Confused

Phil Ershler ershler at cvrti.utah.edu
Wed Nov 10 18:25:43 CST 2004


Hi,
	I've got one Radiator RADIUS Server setup and running on an OS X 
10.3.6 server. In this case the certificates for TTLS are in 
/usr/local/Radiator-3.9. It's working just fine for authenticating 
wireless access against an OpenDirectory/ LDAP databse.
	Now I am setting up a test bed to work out our own certificates. In 
this case the certificates are in /Radiator-3.9. I have also tried 
putting the certificates in /etc/radiator/certificates. For each 
certificate location, I have made the appropriate changes to radius.cfg 
to point to the certificate location. I can't get the server to behave 
properly. In every case here's what the log shows.

Wed Nov 10 16:50:23 2004: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Wed Nov 10 16:50:23 2004: DEBUG:  Deleting session for ershler, 
155.100.140.125, 1
Wed Nov 10 16:50:23 2004: DEBUG: Handling with Radius::AuthLDAP2: 
LDAPBind
Wed Nov 10 16:50:23 2004: DEBUG: Handling with EAP: code 2, 0, 12
Wed Nov 10 16:50:23 2004: DEBUG: Response type 1
Wed Nov 10 16:50:23 2004: ERR: TLS could not load_verify_locations 
/usr/local/Radiator-3.9/certificates/demoCA/cacert.pem, :  228: 1 - 
error:02001002:system library:fopen:No such file or directory
  228: 2 - error:2006D080:BIO routines:BIO_new_file:no such file
  228: 3 - error:0B084002:x509 certificate 
routines:X509_load_cert_crl_file:system lib

Wed Nov 10 16:50:23 2004: DEBUG: EAP result: 1, EAP TTLS Could not 
initialise context
Wed Nov 10 16:50:23 2004: INFO: Access rejected for ershler: EAP TTLS 
Could not initialise context

	Is this message "TLS could not load_verify_locations 
/usr/local/Radiator-3.9/certificates/demoCA/cacert.pem" a red herring 
or is this hard coded into Radiator somewhere? Here is the appropriate 
auth clause from radius.cfg for the certificates in 
/etc/radiator/certificates.

	Can you help me out?

Thanks, Phil


        <AuthBy LDAP2>
                 Identifier LDAPBind

                 # Open Directory has proprietary encrypted passwords
                 # so we must get the server to check them.

                 ServerChecksPassword

                 # Tell Radiator how to talk to the LDAP Server

                 Host            155.100.140.12
                 BaseDN          dc=cvrti, dc=utah, dc=edu
                 Version         3
                 UsernameAttr    uid

                 FailureBackoffTime 30

                 # EAPType sets the EAP type(s) that Radiator will 
honour.
                 # Options are: MD5-Challenge, One-Time-Password
                 # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
                 # Multiple types can be comma separated. With the 
default (most
                 # preferred) type given first
                 EAPType TTLS

                 # EAPTLS_CAFile is the name of a file of CA certificates
                 # in PEM format. The file can contain several CA 
certificates
                 # Radiator will first look in EAPTLS_CAFile then in
                 # EAPTLS_CAPath, so there usually is no need to set both
                 EAPTLS_CAFile 
/etc/radiator/certificates/demoCA/cacert.pem

                 # EAPTLS_CAPath is the name of a directory containing CA
                 # certificates in PEM format. The files each contain one
                 # CA certificate. The files are looked up by the CA
                 # subject name hash value
#               EAPTLS_CAPath
                 # EAPTLS_CertificateFile is the name of a file 
containing
                 # the servers certificate. EAPTLS_CertificateType
                 # specifies the type of the file. Can be PEM or ASN1
                 # defaults to ASN1
                 EAPTLS_CertificateFile 
/etc/radiator/certificates/cert-srv.pem
                 EAPTLS_CertificateType PEM

                 # EAPTLS_PrivateKeyFile is the name of the file 
containing
                 # the servers private key. It is sometimes in the same 
file
                 # as the server certificate (EAPTLS_CertificateFile)
                 # If the private key is encrypted (usually the case)
                 # then EAPTLS_PrivateKeyPassword is the key to descrypt 
it
                 EAPTLS_PrivateKeyFile 
/etc/radiator/certificates/cert-srv.pem
                 EAPTLS_PrivateKeyPassword whatever

                 # EAPTLS_RandomFile is an optional file containing
                 # randdomness
#               EAPTLS_RandomFile %D/certificates/random

                 # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
                 # size that will be replied by Radiator. It must be 
small
                 # enough to fit in a single Radius request (ie less 
than 4096)
                 # and still leave enough space for other attributes
                 # Aironet APs seem to need a smaller MaxFragmentSize
                 # (eg 1024) than the default of 2048. Others need even 
smaller sizes.
                 EAPTLS_MaxFragmentSize 1000

                 # EAPTLS_DHFile if set specifies the DH group file. It
                 # may be required if you need to use ephemeral DH keys.
#               EAPTLS_DHFile %D/certificates/cert/dh


                 # If EAPTLS_CRLCheck is set  and the client presents a 
certificate
                 # then Radiator will look for a certificate revocation 
list (CRL)
                 # for the certificate issuer
                 # when authenticating each client. If a CRL file is not 
found, or
                 # if the CRL says the certificate has neen revoked, the 
authentication will
                 # fail with an error:
                 #   SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
                 # One or more CRLs can be named with the EAPTLS_CRLFile 
parameter.
                 # Alternatively, CRLs may follow a file naming 
convention:
                 #  the hash of the issuer subject name
                 # and a suffix that depends on the serial number.
                 # eg ab1331b2.r0, ab1331b2.r1 etc.
                 # You can find out the hash of the issuer name in a CRL 
with
                 #  openssl crl -in crl.pem -hash -noout
                 # CRLs with tis name convention
                 # will be searched in EAPTLS_CAPath, else in the openssl
                 # certificates directory typically 
/usr/local/openssl/certs/
                 # CRLs are expected to be in PEM format.
                 # A CRL files can be generated with openssl like this:
                 #  openssl ca -gencrl -revoke cert-clt.pem
                 #  openssl ca -gencrl -out crl.pem
                 # Use of these flags requires Net_SSLeay-1.21 or later
                 #EAPTLS_CRLCheck
                 #EAPTLS_CRLFile %D/certificates/crl.pem
                 #EAPTLS_CRLFile %D/certificates/revocations.pem

                 # Some clients, depending on their configuration, may 
require you to specify
                 # MPPE send and receive keys. This _will_ be required 
if you select
                 # 'Keys will be generated automatically for data 
privacy' in the Funk Odyssey
                 # client Network Properties dialog.
                 # Automatically sets MS-MPPE-Send-Key and 
MS-MPPE-Recv-Key
                 # in the final Access-Accept
                 AutoMPPEKeys

                 # You can enable some warning messages from the 
Net::SSLeay
                 # module by setting SSLeayTrace to an integer from 1 to 
4
                 # 1=ciphers, 2=trace, 3=dump data
                 #SSLeayTrace 4

                 # You can configure the User-Name that will be used for 
the inner
                 # authentication. Defaults to 'anonymous'. This can be 
useful
                 # when proxying the inner authentication. If tehre is a 
realm, it can
                 # be used to choose a local Realm to handle the inner 
authentication.
                 # %0 is replaced with the EAP identitiy
                 # EAPAnonymous anonymous at some.other.realm

                 # You can enable or disable support for TTLS Session 
Resumption and
                 # PEAP Fast Reconnect with the EAPTLS_SessionResumption 
flag.
                 # Default is enabled
                 #EAPTLS_SessionResumption 0

                 # You can limit how long after the initial session that 
a session can be resumed
                 # with EAPTLS_SessionResumptionLimit (time in seconds). 
Defaults to 43200
                 # (12 hours)
                 #EAPTLS_SessionResumptionLimit 10

                 # You can use CheckAttr,ReplyAttr and AuthAttrDef
                 # to specify check and reply attributes int eh LDAP
                 # database. See the reference manual for more
                 # information

                 # These are the classic things to add to each users
                 # reply to allow a PPP dialup session. It may be
                 # different for your NAS. This will add some
                 # reply items to everyone's reply
                 AddToReply Framed-Protocol = PPP,\
                         Framed-IP-Netmask = 255.255.255.255,\
                         Framed-Routing = None,\
                         Framed-MTU = 1500,\
                         Framed-Compression = Van-Jacobson-TCP-IP

                 # You can enable debugging of the Net::LDAP
                 # module with this:
                 Debug 255
         </AuthBy>

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list