Bug 473118 - After upgrade to fedora 10, freeradius do not work.
After upgrade to fedora 10, freeradius do not work.
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: freeradius (Show other bugs)
10
i386 Linux
medium Severity urgent
: ---
: ---
Assigned To: John Dennis
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-26 11:05 EST by Alexandre Thieme Reis
Modified: 2008-12-03 13:10 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-03 13:10:25 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
radius.log: freeradius log (87.33 KB, application/octet-stream)
2008-11-26 11:06 EST, Alexandre Thieme Reis
no flags Details

  None (edit)
Description Alexandre Thieme Reis 2008-11-26 11:05:24 EST
Description of problem: I have a wireless route configured for wpa2/enterprise eap/tls autentication in freeradius. After upgrade to fedora 10, the freeradius do not autenticate the clients. All configuration is the same before upgrade.
I have a enterprise network and all wireless clients do not obtain to work !

Version-Release number of selected component (if applicable):
freeradius 2.1.1-6


How reproducible: Ever


Steps to Reproduce:
1. Start freeradius
2. Start wireless router
3. Star laptop client
  
Actual results: Client not authenticate


Expected results: Client authenticate


Additional info: attached a freeradius log

PS: Excuse my poor english.
Comment 1 Alexandre Thieme Reis 2008-11-26 11:06:18 EST
Created attachment 324749 [details]
radius.log: freeradius log
Comment 2 John Dennis 2008-11-26 11:29:26 EST
What was the version of freeradius prior to the upgrade? Configuration in the 2.x series is different. If the prior version was not 2.x then please attach your configuration files.

Please also verify the certificates in /etc/raddb/certs are the ones you expect. The 2.x series will automatically create certificates the first time it is run.
Comment 3 Alexandre Thieme Reis 2008-11-26 12:13:51 EST
Previus version: freeradius-2.1.1-6 fc9
Current version: freeradius-2.1.1-6 fc10

My upgrade procedure:
1. Backup configuration files
2. update fredora-release and fedora-release-notes
3. upgrade (yum upgrade)
4. reboot
5. restore configuration files

I check all configuration files, are all ok.
The client configuration do not change.
Comment 4 John Dennis 2008-11-26 12:22:33 EST
Previus version: freeradius-2.1.1-6 fc9
Current version: freeradius-2.1.1-6 fc10

That's impossible, both of those packages were simultaneously released last night.
Comment 5 Alexandre Thieme Reis 2008-11-26 14:04:57 EST
client wpa_supplicant show:

Associated with 00:21:29:85:99:ef
CTRL-EVENT-SCAN-RESULTS
CTRL-EVENT-EAP-STARTED EAP authentication started
OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
OpenSSL: pending error: error:140C800D:SSL routines:SSL_use_certificate_file:ASN1 lib
OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
OpenSSL: pending error: error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
CTRL-EVENT-EAP-FAILURE EAP authentication failed
WPA: Failed to get master session key from EAPOL state machines
WPA: Key handshake aborted
WPA: Failed to get master session key from EAPOL state machines
WPA: Key handshake aborted
WPA: Failed to get master session key from EAPOL state machines
WPA: Key handshake aborted
WPA: Failed to get master session key from EAPOL state machines
WPA: Key handshake aborted

Maybe the problem is in another library

ldd radiusd show:

ldd /usr/sbin/radiusd
        linux-gate.so.1 =>  (0x00110000)
        libfreeradius-radius-2.1.1.so => /usr/lib/freeradius/libfreeradius-radius-2.1.1.so (0x00111000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x053f4000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x00ca5000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x00799000)
        libreadline.so.5 => /lib/libreadline.so.5 (0x00d7c000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x055f7000)
        libltdl.so.3 => /usr/lib/libltdl.so.3 (0x03b23000)
        libdl.so.2 => /lib/libdl.so.2 (0x00792000)
        libssl.so.7 => /lib/libssl.so.7 (0x002f2000)
        libcrypto.so.7 => /lib/libcrypto.so.7 (0x00132000)
        libc.so.6 => /lib/libc.so.6 (0x005f1000)
        /lib/ld-linux.so.2 (0x005c8000)
        libtinfo.so.5 => /lib/libtinfo.so.5 (0x04ff5000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00d19000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x0033d000)
        libcom_err.so.2 => /lib/libcom_err.so.2 (0x00d08000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00d4f000)
        libz.so.1 => /lib/libz.so.1 (0x007b5000)
        libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00d0d000)
        libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00d4a000)
        libselinux.so.1 => /lib/libselinux.so.1 (0x00a00000)
Comment 6 Alexandre Thieme Reis 2008-11-26 14:09:41 EST
The correct old version of freeradius: freeradius-2.0.2-2.fc9, my excuses.
Comment 7 Alexandre Thieme Reis 2008-11-26 18:03:08 EST
I have a computer with fedora core 9, in this computer i downgrade freeradius to 2.0.2-2 and copy configuration from freeradius (certs and files). In fedora 9 freeradius work, in fedora core 10 not work (The configuration is the same).
Comment 8 Thibault LE MEUR 2008-12-03 12:22:56 EST
I had the evry same issue and finally foudn out that the upgrade has added /etc/raddb/modules/<modulename>.rpmnew files

These files are read at server startup and override your own setup.
For instance at startup:
...
including configuration file /etc/raddb/modules/pap.rpmnew
...
including configuration file /etc/raddb/modules/pap
... 

1- Move these files from /etc/raddb/modules/*.rpm to another location
2- add the "name = radiusd" parameter at the beginning of /etc/raddb/radiusd.conf or remove the /etc/raddb/site-enabled/control-socket link.
3- Eventually you'll have to remove the "include snmp.conf" line from raduisd.conf as well
4- restart your server

Could it be possible that the Upgrade add rpmnew files with another name.
As Files matching the regex /[a-zA-Z0-9_.]+/  are loaded, we could use "modulename-rpmnew" or something like this ?

Thibault
Comment 9 Thibault LE MEUR 2008-12-03 12:35:08 EST
After having a closer look at the bug described, my Comment #8, may not be directly related to this bug.

I may have to open a new one ?

Thibault
Comment 10 Alexandre Thieme Reis 2008-12-03 13:08:50 EST
Solution:
in file /etc/raddb/eap.conf:

tls {
   ...
   fragment_size = 2048
   ...
}

I find this solution in wpa_supplicant forum.
freeradis-2.0.2 work with fragment_size = 1024, but for freeradius-2.1.1 fragment_size = 2048 is needed for eap/tls authentication.

Thanks for all!

Note You need to log in before you can comment on or make changes to this bug.