bonjour. lorsque je lance radius:
./radius -X
j'ai une erreur.
j'ai configuré le fichier radiusd.conf de maniere a avoir l'authentification eap-tls mais lorsque je lance radius, cela m'affiche un message d'erreur :
je pense que cela doit venir de cette ligne
-tls: check_cert_cn = "(null)"
j'ai donc mis le cn que j'avais rentré lors de la création du root.der mais ca n'a pas marché non plus.
j'ai remplacé par -tls: check_cert_cn = "nomduserveur"
J'ai toujours le même probleme.
d'ou peut venir mon probleme???
merci mille fois!!!
voici le demarrage de radius tracé (a la fin du fichier, cela plante)
[root@localhost radiusd]# ./radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = yes
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certs/localhost.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/localhost.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/root.pem"
tls: private_key_password = "azertyui"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = yes
tls: check_cert_cn = "(null)"
19850:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:637:Expecting: CERTIFICATE
19850:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:450:
19850:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:423:
19850:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:709:
rlm_eap_tls: Error reading private key file
rlm_eap: Failed to initialize type tls
radiusd.conf[600]: eap: Module instantiation failed.
# lancement de freeradius:plantage
Posté par bigboss200000 . Évalué à 1.
lors de la generation de mes certificats, j'ai utilisé des fichiers tout fais:
CA.root, CA.srv,CA.clt
Dans ces fichiers, le mot de passe est whatever
or moi lorsque je generai mes certificats, on me demandais un challenge password:
celui ci doit etre normalement intégré par la suite dans le fichier radiusd.conf mais dans notre cas, le fichier CA generant les certificats contient whatever comme password.
solution:
remplacer dans radius.conf le mot de passe que vous avez taper comme challenge password par celui dans le fichier CA
On a donc lors du lancement
tls: private_key_password = "whatever"
au lieu de
tls: private_key_password = "azertyui"
ps: azertui est mon challenge password
Suivre le flux des commentaires
Note : les commentaires appartiennent à celles et ceux qui les ont postés. Nous n’en sommes pas responsables.