(RADIATOR) OK, I'm Confused
Hugh Irvine
hugh at open.com.au
Wed Nov 10 18:35:00 CST 2004
Hello Phil -
Have you restarted radiusd to re-read the configuration file?
regards
Hugh
On 11 Nov 2004, at 11:25, Phil Ershler wrote:
> Hi,
> I've got one Radiator RADIUS Server setup and running on an OS X
> 10.3.6 server. In this case the certificates for TTLS are in
> /usr/local/Radiator-3.9. It's working just fine for authenticating
> wireless access against an OpenDirectory/ LDAP databse.
> Now I am setting up a test bed to work out our own certificates. In
> this case the certificates are in /Radiator-3.9. I have also tried
> putting the certificates in /etc/radiator/certificates. For each
> certificate location, I have made the appropriate changes to
> radius.cfg to point to the certificate location. I can't get the
> server to behave properly. In every case here's what the log shows.
>
> Wed Nov 10 16:50:23 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Wed Nov 10 16:50:23 2004: DEBUG: Deleting session for ershler,
> 155.100.140.125, 1
> Wed Nov 10 16:50:23 2004: DEBUG: Handling with Radius::AuthLDAP2:
> LDAPBind
> Wed Nov 10 16:50:23 2004: DEBUG: Handling with EAP: code 2, 0, 12
> Wed Nov 10 16:50:23 2004: DEBUG: Response type 1
> Wed Nov 10 16:50:23 2004: ERR: TLS could not load_verify_locations
> /usr/local/Radiator-3.9/certificates/demoCA/cacert.pem, : 228: 1 -
> error:02001002:system library:fopen:No such file or directory
> 228: 2 - error:2006D080:BIO routines:BIO_new_file:no such file
> 228: 3 - error:0B084002:x509 certificate
> routines:X509_load_cert_crl_file:system lib
>
> Wed Nov 10 16:50:23 2004: DEBUG: EAP result: 1, EAP TTLS Could not
> initialise context
> Wed Nov 10 16:50:23 2004: INFO: Access rejected for ershler: EAP TTLS
> Could not initialise context
>
> Is this message "TLS could not load_verify_locations
> /usr/local/Radiator-3.9/certificates/demoCA/cacert.pem" a red herring
> or is this hard coded into Radiator somewhere? Here is the appropriate
> auth clause from radius.cfg for the certificates in
> /etc/radiator/certificates.
>
> Can you help me out?
>
> Thanks, Phil
>
>
> <AuthBy LDAP2>
> Identifier LDAPBind
>
> # Open Directory has proprietary encrypted passwords
> # so we must get the server to check them.
>
> ServerChecksPassword
>
> # Tell Radiator how to talk to the LDAP Server
>
> Host 155.100.140.12
> BaseDN dc=cvrti, dc=utah, dc=edu
> Version 3
> UsernameAttr uid
>
> FailureBackoffTime 30
>
> # EAPType sets the EAP type(s) that Radiator will
> honour.
> # Options are: MD5-Challenge, One-Time-Password
> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
> # Multiple types can be comma separated. With the
> default (most
> # preferred) type given first
> EAPType TTLS
>
> # EAPTLS_CAFile is the name of a file of CA
> certificates
> # in PEM format. The file can contain several CA
> certificates
> # Radiator will first look in EAPTLS_CAFile then in
> # EAPTLS_CAPath, so there usually is no need to set
> both
> EAPTLS_CAFile
> /etc/radiator/certificates/demoCA/cacert.pem
>
> # EAPTLS_CAPath is the name of a directory containing
> CA
> # certificates in PEM format. The files each contain
> one
> # CA certificate. The files are looked up by the CA
> # subject name hash value
> # EAPTLS_CAPath
> # EAPTLS_CertificateFile is the name of a file
> containing
> # the servers certificate. EAPTLS_CertificateType
> # specifies the type of the file. Can be PEM or ASN1
> # defaults to ASN1
> EAPTLS_CertificateFile
> /etc/radiator/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
>
> # EAPTLS_PrivateKeyFile is the name of the file
> containing
> # the servers private key. It is sometimes in the same
> file
> # as the server certificate (EAPTLS_CertificateFile)
> # If the private key is encrypted (usually the case)
> # then EAPTLS_PrivateKeyPassword is the key to
> descrypt it
> EAPTLS_PrivateKeyFile
> /etc/radiator/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
>
> # EAPTLS_RandomFile is an optional file containing
> # randdomness
> # EAPTLS_RandomFile %D/certificates/random
>
> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
> # size that will be replied by Radiator. It must be
> small
> # enough to fit in a single Radius request (ie less
> than 4096)
> # and still leave enough space for other attributes
> # Aironet APs seem to need a smaller MaxFragmentSize
> # (eg 1024) than the default of 2048. Others need even
> smaller sizes.
> EAPTLS_MaxFragmentSize 1000
>
> # EAPTLS_DHFile if set specifies the DH group file. It
> # may be required if you need to use ephemeral DH keys.
> # EAPTLS_DHFile %D/certificates/cert/dh
>
>
> # If EAPTLS_CRLCheck is set and the client presents a
> certificate
> # then Radiator will look for a certificate revocation
> list (CRL)
> # for the certificate issuer
> # when authenticating each client. If a CRL file is
> not found, or
> # if the CRL says the certificate has neen revoked,
> the authentication will
> # fail with an error:
> # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> # One or more CRLs can be named with the
> EAPTLS_CRLFile parameter.
> # Alternatively, CRLs may follow a file naming
> convention:
> # the hash of the issuer subject name
> # and a suffix that depends on the serial number.
> # eg ab1331b2.r0, ab1331b2.r1 etc.
> # You can find out the hash of the issuer name in a
> CRL with
> # openssl crl -in crl.pem -hash -noout
> # CRLs with tis name convention
> # will be searched in EAPTLS_CAPath, else in the
> openssl
> # certificates directory typically
> /usr/local/openssl/certs/
> # CRLs are expected to be in PEM format.
> # A CRL files can be generated with openssl like this:
> # openssl ca -gencrl -revoke cert-clt.pem
> # openssl ca -gencrl -out crl.pem
> # Use of these flags requires Net_SSLeay-1.21 or later
> #EAPTLS_CRLCheck
> #EAPTLS_CRLFile %D/certificates/crl.pem
> #EAPTLS_CRLFile %D/certificates/revocations.pem
>
> # Some clients, depending on their configuration, may
> require you to specify
> # MPPE send and receive keys. This _will_ be required
> if you select
> # 'Keys will be generated automatically for data
> privacy' in the Funk Odyssey
> # client Network Properties dialog.
> # Automatically sets MS-MPPE-Send-Key and
> MS-MPPE-Recv-Key
> # in the final Access-Accept
> AutoMPPEKeys
>
> # You can enable some warning messages from the
> Net::SSLeay
> # module by setting SSLeayTrace to an integer from 1
> to 4
> # 1=ciphers, 2=trace, 3=dump data
> #SSLeayTrace 4
>
> # You can configure the User-Name that will be used
> for the inner
> # authentication. Defaults to 'anonymous'. This can be
> useful
> # when proxying the inner authentication. If tehre is
> a realm, it can
> # be used to choose a local Realm to handle the inner
> authentication.
> # %0 is replaced with the EAP identitiy
> # EAPAnonymous anonymous at some.other.realm
>
> # You can enable or disable support for TTLS Session
> Resumption and
> # PEAP Fast Reconnect with the
> EAPTLS_SessionResumption flag.
> # Default is enabled
> #EAPTLS_SessionResumption 0
>
> # You can limit how long after the initial session
> that a session can be resumed
> # with EAPTLS_SessionResumptionLimit (time in
> seconds). Defaults to 43200
> # (12 hours)
> #EAPTLS_SessionResumptionLimit 10
>
> # You can use CheckAttr,ReplyAttr and AuthAttrDef
> # to specify check and reply attributes int eh LDAP
> # database. See the reference manual for more
> # information
>
> # These are the classic things to add to each users
> # reply to allow a PPP dialup session. It may be
> # different for your NAS. This will add some
> # reply items to everyone's reply
> AddToReply Framed-Protocol = PPP,\
> Framed-IP-Netmask = 255.255.255.255,\
> Framed-Routing = None,\
> Framed-MTU = 1500,\
> Framed-Compression = Van-Jacobson-TCP-IP
>
> # You can enable debugging of the Net::LDAP
> # module with this:
> Debug 255
> </AuthBy>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list