Re: eap-ttls + PAP using Crypt-Password obtained by ldap
Thor Spruyt wrote: Florian Prester wrote: The Crypted-Password is working and it is available as Crypt-Password. (Tested with ntradping). I added DEFAULTAuth-Type := pap at the end of the users-file, without it wants to use ldap-authentication! You should set Auth-Type := pap I mean SHOULDN'T!!! See http://vuksan.com/linux/dot1x/802-1x-LDAP.html -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls + PAP using Crypt-Password obtained by ldap
Alan DeKok wrote: Florian Prester [EMAIL PROTECTED] wrote: I configured as you told, but I still get an error at the freeradius: You haven't shown the contents of the packet. Thu Aug 11 17:06:02 2005 : Auth: rlm_pap: Attribute Password is required for authentication. You've told the server to do PAP authentication, but there's no password in the request. Don't do that. I added DEFAULTAuth-Type := pap at the end of the users-file, without it wants to use ldap-authentication! Which ALSO forces the server to do PAP when it receives an EAP request. Solution: 1) read man users 2) change := to = Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ok, after I set := to = the radius is trying to do EAP with md5. So I think the wpa_supplicant is telling the radius to do so. Which of course need an Password-attribute. So back again to the wpa_supplicant-configuration, how do I configure EAP-TTLS with PAP as inner authentication? thanks for all the help. Florian Prester -- -- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Message without subject. EAP-MD5
Sorry for my last message without subject. I've already repared my problem. I had put in my users file: test User-Password := password # Auth-Type = Local Reply-Message = Hello, %u and this Reply-Message (which is included in users file as an example) was the reason for my server to don't work. I've only commented this line and the server functions again. Thank you!!! I will ask you something about LEAP protocol soon . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radzap problem
Dear Alan, Thanks, you are right and now it's working. --- Alan DeKok [EMAIL PROTECTED] wrote: Soheb Ahmed [EMAIL PROTECTED] wrote: Thanks for your reply. I have used port collection of FreeBSD on line to install freeradius. So? My statement is still true. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Md. Soheb Ahmed 708 Shahidbagh (First Floor), Dhaka 1217, Bangladesh. Email: [EMAIL PROTECTED],[EMAIL PROTECTED] http://www.geocities.com/soheb707/ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and oracle LDAP
Thanks. I will try this. I have composed searches on LDAP and figured out the filter that I need to use to get the UID but not the password. Thanks for the info. If I get it to work I will post the information for the others as well. - Original Message - From: Vladimir Vuksan [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, August 11, 2005 2:23 PM Subject: Re: freeradius and oracle LDAP Allan Borman wrote: Hi Valdimir, Thanks for the reply. Would it help if I send you the debug info on the RADIUS. If you are interested let me know. I don't think that would help any. First of all you have to make sure that LDAP is providing the right information before you try to get it going with RADIUS. For example if you can do an LDAP search as the admin user against your Oracle LDAP database you should be able to configure FreeRADIUS easily ie. ldapsearch -x -D 'uid=root,dc=yourorg,dc=com' 'uid=allan' and than confirm that the right attributes are being provided by the LDAP. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LEAP and PEAP protocols
Hi everybody again, I would like to know if any of you has somme information about LEAP and PEAP protocols. Does any RFC about them exist? I find nothing in the net. Thanks you!!! Juan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LEAP and PEAP protocols
Juan Daniel Moreno [EMAIL PROTECTED] wrote: I would like to know if any of you has somme information about LEAP and PEAP protocols. Does any RFC about them exist? I find nothing in the net. Thanks you!!! doc/rfc/* Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls + PAP using Crypt-Password obtained by ldap
Florian Prester [EMAIL PROTECTED] wrote: ok, after I set := to = the radius is trying to do EAP with md5. So I think the wpa_supplicant is telling the radius to do so. Which of course need an Password-attribute. Yes. So back again to the wpa_supplicant-configuration, how do I configure EAP-TTLS with PAP as inner authentication? Ask on a WPA supplicant list. I haven't used it, so I know nothing about it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting VSAs
I should have mentioned in my original e-mail before that we're testing FreeRADIUS 1.0.1 on Redhat Fedora Core 3. Now, according to the Ascend (Lucent) MAX TNT documentation I have, the only time Ascend-Data-Rate gets sent out to the RADIUS server is during an Accounting Stop packet, therefore I only have the % variables in that SQL statement. Here is a listing of my stop queries: sql: accounting_stop_query = UPDATE radacct SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}', AscendDataRate = '%{Ascend-Data-Rate}', AscendXmitRate = '%{Ascend-Xmit-Rate}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}' sql: accounting_stop_query_alt = INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay, AscendDataRate, AscendXmitRate) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}', '%{Ascend-Data-Rate}', '%{Ascend-Xmit-Rate}') I have also tried X-Ascend-Data-Rate and X-Ascend-Xmit-Rate with no luck. radrelay when run locally on the test freeradius server with encoded production data (Vendor-Specific lines instead of Ascend-* lines) copied from our Cistron radius does not display Vendor-Specific lines /or/ the resultant Ascend-* lines that should be replacing the V-S lines when radrelay is run with -xx. My SQL statements end up with blank information where the %{} replacements are. radrelay when run locally on the test freeradius server with decoded production data (Ascend-* lines) copied our Cistron radius does display the Ascend-* attributes when radrelay is run with -xx, but does not seem to change my SQL statements - again, the %{} replacements are blank. The detail file in both cases are a collection of 5 or 6 days worth of data. Alan DeKok wrote: Wesley Spadola [EMAIL PROTECTED] wrote: No... they don't get escaped. Read doc/variables.txt. The %{} syntax tells the server to replace %{foo} with the VALUE of attribute foo. I read the documentation you pointed me to and it explained exactly what I want to know in a concise and straightforward manner - thank you for that! AFAIK all I have to do to include VSAs into my queries is enclose the attribute name (eg Ascend-Data-Rate) in the query like so: %{Ascend-Data-Rate} and it should replace it with the appropriate value. Is there any more information I could send forth to help debug my issue? Thanks, Wes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LEAP and PEAP protocols
LEAP is a proprietary protocol of Cisco's. They have never published a spec, but it has been reverse engineered. (use Google) It is severely flawed. PEAP is in an Internet Draft (v2), but what Microsoft has implemented (v0) and what Cisco supports(v1) are two different derivations of previous versions. You will have to do some archival spelunking to get specs that may agree with the implementations. Good luck! Dave. - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: LEAP and PEAP protocols Date: Fri, 12 Aug 2005 11:10:52 -0400 Juan Daniel Moreno [EMAIL PROTECTED] wrote: I would like to know if any of you has somme information about LEAP and PEAP protocols. Does any RFC about them exist? I find nothing in the net. Thanks you!!! doc/rfc/* Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
16bit attributes...
BTW, Does FreeRADIUS support 16bit attributes yet? I see a message at http://lists.cistron.nl/pipermail/cistron-radius/2004-January/005824.html says that FR is close to doing it, but I haven't been able to find any information more recently to support this. Thanks, Wes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: conecpt question
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 11, 2005 at 15:23 -0800 wrote: what i am dreaming of (at least regarding radius ;-) ): - wlan with wpa/802.1x using freeradius - clients mostly windows xp, several mac os x, few linux (unimportant right now) - the normal users (known to the local unix network the accesspoint/switch is connected to via nis or (some day) ldap) can access easily just with their username and password, if possible without client certificates (to keep things simple for the user) - some special 'accounts' (for guests etc.) in the freeradius users files can this be realized with freeradius? as far as i understand the conecpts behind this all this means a have to use peap, eap/ttls or eap/mschap-v2, am i right? has anyone set up something like this and can help me with some ideas, hints about trap-doors and other trouble ahead? or even some example configuration files? I've done something similar. First off, if your passwords are stored using irreversible encryption (e.g. Unix passwd file), you are only going to be able to use EAP-TTLS/PAP. Reason being that both PEAP and MSCHAPv2 require a challenge-response type mechanism, where the server has the plaintext password available to it (either by reversible encryption or plaintext). For EAP-TTLS, WindowsXP supplicants will either be installed with the wireless card (in the case of the newer Intel ones) or you'll have to pick up SecureW2. Both options work quite well. You don't need client certs with EAP-TTLS. The MacOS X.2 (or better) with latest patches will do TTLS builtin. There is a supplicant available for Linux, too -- Xsupplicant, courtesy of the Open1x project. Let me know if you need any other tips or tricks. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LEAP and PEAP protocols
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 12, 2005 at 09:04 -0800 wrote: LEAP is a proprietary protocol of Cisco's. They have never published a spec, but it has been reverse engineered. (use Google) It is severely flawed. What he said. PEAP is in an Internet Draft (v2), but what Microsoft has implemented (v0) and what Cisco supports(v1) are two different derivations of previous versions. You will have to do some archival spelunking to get specs that may agree with the implementations. PEAP and LEAP are different beasts. If you want the auth features of LEAP (e.g. simple username/password), your best bet is to look at EAP-TTLS/PAP. If you want the hashing functions (whereby CHAP of some sort is used), PEAP will work, given the right subtype. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 16bit attributes...
Wesley Spadola [EMAIL PROTECTED] wrote: BTW, Does FreeRADIUS support 16bit attributes yet? 1.0.x does not. The latest CVS snapshots do support them. See dictionary.lucent. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting VSAs
Wesley Spadola [EMAIL PROTECTED] wrote: I should have mentioned in my original e-mail before that we're testing FreeRADIUS 1.0.1 on Redhat Fedora Core 3. You should really upgrade. See http://www.freeradius.org/security.html radrelay when run locally on the test freeradius server with encoded production data (Vendor-Specific lines instead of Ascend-* lines) copied from our Cistron radius does not display Vendor-Specific lines /or/ the resultant Ascend-* lines that should be replacing the V-S lines when radrelay is run with -xx. Hmm... that shouldn't happen. radrelay when run locally on the test freeradius server with decoded production data (Ascend-* lines) copied our Cistron radius does display the Ascend-* attributes when radrelay is run with -xx, but does not seem to change my SQL statements - again, the %{} replacements are blank. radrelay doesn't use SQL statements. And read the debug log to see what the server is getting in a packet, and what it does with that data. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
GOT error read client CA in eap-tls
Hi all I config freeradius follow this document http://www.alphacore.net/spipen/article.php3?id_article=1 but I got error below rad_recv: Access-Request packet from host 192.168.101.29:1239, id=62, length=230 User-Name = mobile NAS-IP-Address = 192.168.101.29 NAS-Port = 0 Called-Station-Id = 00-80-C8-AC-A3-80 Calling-Station-Id = 00-04-23-52-E4-10 NAS-Identifier = jameslong5 On Center Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400500d8000461603010041013d030142fd1e5eebf3eb7698937e226b8350843678f15002dc309a1934beb1c6f56e1d1600040005000a000900640062000300060013001200630100 State = 0x9b6a342a9b2b46b0fd473df927bba128 Message-Authenticator = 0xc68c53d418a3f44053680ba65b37dfbf Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_realm: No '@' in User-Name = mobile, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 2 rlm_eap: EAP packet type response id 4 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 2 users: Matched entry DEFAULT at line 152 users: Matched entry mobile at line 219 modcall[authorize]: module files returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 06bf], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 00b2], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode Thanks you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS
Hi all conf eap-tls by http://www.alphacore.net/spipen/article.php3?id_article=1 I don't understand why I got TLS_accept:error in SSLv3 read client certificate A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode and some I got SSL negotiation finished successfully but eaptls_process handled modcall[authenticate]: module eap returns handled for request 3 why not ok? eaptls_verify returned 11 rlm_eap_tls: TLS 1.0 Handshake [length 02e4], Certificate chain-depth=1, error=0 -- User-Name = mobile -- BUF-Name = matilda -- subject = /C=TH/ST=SongKhla/L=Hat-Yai/O=Jameslong IT Solution/OU=Administrator/CN=matilda/[EMAIL PROTECTED] -- issuer = /C=TH/ST=SongKhla/L=Hat-Yai/O=Jameslong IT Solution/OU=Administrator/CN=matilda/[EMAIL PROTECTED] -- verify return:1 chain-depth=0, error=0 -- User-Name = mobile -- BUF-Name = mobile -- subject = /C=TH/ST=SongKhla/L=Hat-Yai/O=Jameslong IT Solution/OU=Administrator/CN=mobile/[EMAIL PROTECTED] -- issuer = /C=TH/ST=SongKhla/L=Hat-Yai/O=Jameslong IT Solution/OU=Administrator/CN=matilda/[EMAIL PROTECTED] -- verify return:1 TLS_accept: SSLv3 read client certificate A rlm_eap_tls: TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: TLS 1.0 Handshake [length 0086], CertificateVerify TLS_accept: SSLv3 read certificate verify A rlm_eap_tls: TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 23 to 192.168.101.29:1239 Ready to process requests. rad_recv: Access-Request packet from host 192.168.101.29:1239, id=20, length=143 User-Name = mobile NAS-IP-Address = 192.168.101.29 NAS-Port = 0 Called-Station-Id = 00-80-C8-AC-A3-80 Calling-Station-Id = 00-04-23-52-E4-10 NAS-Identifier = jameslong5 On Center Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000b016d6f62696c65 Message-Authenticator = 0xcc20399e49cf1b257bdf7d820424d89f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = mobile, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry mobile at line 219 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 20 to 192.168.101.29:1239 EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0x34d599218f561dce9524e244c5cc874d Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.101.29:1239, id=21, length=230 User-Name = mobile NAS-IP-Address = 192.168.101.29 NAS-Port = 0 Called-Station-Id = 00-80-C8-AC-A3-80 Calling-Station-Id = 00-04-23-52-E4-10 NAS-Identifier = jameslong5 On Center Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200500d8000461603010041013d030142fd2917e892c20b68f495c58695ece35b355b986b0362d67237ab6a81446fe51600040005000a000900640062000300060013001200630100 State = 0x34d599218f561dce9524e244c5cc874d Message-Authenticator = 0x7dcff4d08c8b3ad1e6197c3b77b609c5 Processing the authorize section of radiusd.conf modcall: entering group authorize
FreeRADIUS 1.0.4 can't compile on Solaris 10
Greetings everybody. There's this problem that has me completely stumped despite several late night attempts to solve it, so any help would be gratefully appreciated. ;-) I'm trying to compile FreeRADIUS 1.0.4 on a Solaris 10 machine. The initial ./configure seems to have completed without too much fuss. The problem is that when I try make all the following error message is given after it tries to compile: * snip gmake[1]: Entering directory `/export/home/tmp/freeradius-1.0.4' Making all in libltdl... gmake[2]: Entering directory `/export/home/tmp/freeradius-1.0.4/libltdl' /bin/sh ./libtool --mode=link gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -o libltdl.la -rpath /usr/local/lib -no-undefined -version-info 4:0:1 ltdl.lo -ldl -lnsl -lresolv -lsocket -lposix4 -lpthread -lcrypto -lssl rm -fr .libs/libltdl.la .libs/libltdl.* .libs/libltdl.* /usr/ccs/bin/ld -G -z defs -h libltdl.so.3 -o .libs/libltdl.so.3.1.0 ltdl.lo -ldl -lnsl -lresolv -lsocket -lposix4 -lpthread -lcrypto -lssl -lc ld: fatal: library -lcrypto: not found ld: fatal: library -lssl: not found ld: fatal: File processing errors. No output written to .libs/libltdl.so.3.1.0 gmake[2]: *** [libltdl.la] Error 1 gmake[2]: Leaving directory `/export/home/tmp/freeradius-1.0.4/libltdl' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/export/home/tmp/freeradius-1.0.4' *** Error code 2 The following command caused the error: /usr/sfw/bin/gmake WHAT_TO_MAKE=all common make: Fatal error: Command failed for target `all' * snip The really strange part is that ./configure seems to actually find the libcrypto and libssl libraries: * snip checking for openssl/ssl.h... yes checking for DH_new in -lcrypto... yes checking for SSL_new in -lssl... yes * snip I did the following command line tests and got the following results: #ld -lcrypto ld: fatal: library -lcrypto: not found ld: fatal: File processing errors. No output written to a.out #ld -lssl ld: fatal: library -lssl: not found ld: fatal: File processing errors. No output written to a.out I think the libraries are already in the correct path: #crle Configuration file [version 4]: /var/ld/ld.config Default Library Path (ELF): /lib:/usr/lib:/usr/local/lib:/usr/sfw/lib Trusted Directories (ELF):/lib/secure:/usr/lib/secure (system default) Command line: crle -c /var/ld/ld.config -l /lib:/usr/lib:/usr/local/lib:/usr/sfw/lib Does anyone know how to solve this problem? Let me know if I've left out any information. Thanks again! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html