(RADIATOR) OK, I'm Confused
Phil Ershler
ershler at cvrti.utah.edu
Wed Nov 10 18:25:43 CST 2004
Hi,
I've got one Radiator RADIUS Server setup and running on an OS X
10.3.6 server. In this case the certificates for TTLS are in
/usr/local/Radiator-3.9. It's working just fine for authenticating
wireless access against an OpenDirectory/ LDAP databse.
Now I am setting up a test bed to work out our own certificates. In
this case the certificates are in /Radiator-3.9. I have also tried
putting the certificates in /etc/radiator/certificates. For each
certificate location, I have made the appropriate changes to radius.cfg
to point to the certificate location. I can't get the server to behave
properly. In every case here's what the log shows.
Wed Nov 10 16:50:23 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Nov 10 16:50:23 2004: DEBUG: Deleting session for ershler,
155.100.140.125, 1
Wed Nov 10 16:50:23 2004: DEBUG: Handling with Radius::AuthLDAP2:
LDAPBind
Wed Nov 10 16:50:23 2004: DEBUG: Handling with EAP: code 2, 0, 12
Wed Nov 10 16:50:23 2004: DEBUG: Response type 1
Wed Nov 10 16:50:23 2004: ERR: TLS could not load_verify_locations
/usr/local/Radiator-3.9/certificates/demoCA/cacert.pem, : 228: 1 -
error:02001002:system library:fopen:No such file or directory
228: 2 - error:2006D080:BIO routines:BIO_new_file:no such file
228: 3 - error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib
Wed Nov 10 16:50:23 2004: DEBUG: EAP result: 1, EAP TTLS Could not
initialise context
Wed Nov 10 16:50:23 2004: INFO: Access rejected for ershler: EAP TTLS
Could not initialise context
Is this message "TLS could not load_verify_locations
/usr/local/Radiator-3.9/certificates/demoCA/cacert.pem" a red herring
or is this hard coded into Radiator somewhere? Here is the appropriate
auth clause from radius.cfg for the certificates in
/etc/radiator/certificates.
Can you help me out?
Thanks, Phil
<AuthBy LDAP2>
Identifier LDAPBind
# Open Directory has proprietary encrypted passwords
# so we must get the server to check them.
ServerChecksPassword
# Tell Radiator how to talk to the LDAP Server
Host 155.100.140.12
BaseDN dc=cvrti, dc=utah, dc=edu
Version 3
UsernameAttr uid
FailureBackoffTime 30
# EAPType sets the EAP type(s) that Radiator will
honour.
# Options are: MD5-Challenge, One-Time-Password
# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
# Multiple types can be comma separated. With the
default (most
# preferred) type given first
EAPType TTLS
# EAPTLS_CAFile is the name of a file of CA certificates
# in PEM format. The file can contain several CA
certificates
# Radiator will first look in EAPTLS_CAFile then in
# EAPTLS_CAPath, so there usually is no need to set both
EAPTLS_CAFile
/etc/radiator/certificates/demoCA/cacert.pem
# EAPTLS_CAPath is the name of a directory containing CA
# certificates in PEM format. The files each contain one
# CA certificate. The files are looked up by the CA
# subject name hash value
# EAPTLS_CAPath
# EAPTLS_CertificateFile is the name of a file
containing
# the servers certificate. EAPTLS_CertificateType
# specifies the type of the file. Can be PEM or ASN1
# defaults to ASN1
EAPTLS_CertificateFile
/etc/radiator/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyFile is the name of the file
containing
# the servers private key. It is sometimes in the same
file
# as the server certificate (EAPTLS_CertificateFile)
# If the private key is encrypted (usually the case)
# then EAPTLS_PrivateKeyPassword is the key to descrypt
it
EAPTLS_PrivateKeyFile
/etc/radiator/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
# EAPTLS_RandomFile is an optional file containing
# randdomness
# EAPTLS_RandomFile %D/certificates/random
# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
# size that will be replied by Radiator. It must be
small
# enough to fit in a single Radius request (ie less
than 4096)
# and still leave enough space for other attributes
# Aironet APs seem to need a smaller MaxFragmentSize
# (eg 1024) than the default of 2048. Others need even
smaller sizes.
EAPTLS_MaxFragmentSize 1000
# EAPTLS_DHFile if set specifies the DH group file. It
# may be required if you need to use ephemeral DH keys.
# EAPTLS_DHFile %D/certificates/cert/dh
# If EAPTLS_CRLCheck is set and the client presents a
certificate
# then Radiator will look for a certificate revocation
list (CRL)
# for the certificate issuer
# when authenticating each client. If a CRL file is not
found, or
# if the CRL says the certificate has neen revoked, the
authentication will
# fail with an error:
# SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
# One or more CRLs can be named with the EAPTLS_CRLFile
parameter.
# Alternatively, CRLs may follow a file naming
convention:
# the hash of the issuer subject name
# and a suffix that depends on the serial number.
# eg ab1331b2.r0, ab1331b2.r1 etc.
# You can find out the hash of the issuer name in a CRL
with
# openssl crl -in crl.pem -hash -noout
# CRLs with tis name convention
# will be searched in EAPTLS_CAPath, else in the openssl
# certificates directory typically
/usr/local/openssl/certs/
# CRLs are expected to be in PEM format.
# A CRL files can be generated with openssl like this:
# openssl ca -gencrl -revoke cert-clt.pem
# openssl ca -gencrl -out crl.pem
# Use of these flags requires Net_SSLeay-1.21 or later
#EAPTLS_CRLCheck
#EAPTLS_CRLFile %D/certificates/crl.pem
#EAPTLS_CRLFile %D/certificates/revocations.pem
# Some clients, depending on their configuration, may
require you to specify
# MPPE send and receive keys. This _will_ be required
if you select
# 'Keys will be generated automatically for data
privacy' in the Funk Odyssey
# client Network Properties dialog.
# Automatically sets MS-MPPE-Send-Key and
MS-MPPE-Recv-Key
# in the final Access-Accept
AutoMPPEKeys
# You can enable some warning messages from the
Net::SSLeay
# module by setting SSLeayTrace to an integer from 1 to
4
# 1=ciphers, 2=trace, 3=dump data
#SSLeayTrace 4
# You can configure the User-Name that will be used for
the inner
# authentication. Defaults to 'anonymous'. This can be
useful
# when proxying the inner authentication. If tehre is a
realm, it can
# be used to choose a local Realm to handle the inner
authentication.
# %0 is replaced with the EAP identitiy
# EAPAnonymous anonymous at some.other.realm
# You can enable or disable support for TTLS Session
Resumption and
# PEAP Fast Reconnect with the EAPTLS_SessionResumption
flag.
# Default is enabled
#EAPTLS_SessionResumption 0
# You can limit how long after the initial session that
a session can be resumed
# with EAPTLS_SessionResumptionLimit (time in seconds).
Defaults to 43200
# (12 hours)
#EAPTLS_SessionResumptionLimit 10
# You can use CheckAttr,ReplyAttr and AuthAttrDef
# to specify check and reply attributes int eh LDAP
# database. See the reference manual for more
# information
# These are the classic things to add to each users
# reply to allow a PPP dialup session. It may be
# different for your NAS. This will add some
# reply items to everyone's reply
AddToReply Framed-Protocol = PPP,\
Framed-IP-Netmask = 255.255.255.255,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP
# You can enable debugging of the Net::LDAP
# module with this:
Debug 255
</AuthBy>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list