rlm_eap_tls: SSL_read failed in a system call

2007-04-24 Thread Sean McNamara 
Hello all,
   
I saw there was a bit of talk in 2006 over this issue, but, I wasn't 
able to track down a definitive solution. We're running FreeRADIUS 
1.1.5 with EAP/TTLS (openSSL 0.9.8d) on Solaris 10.   The server will 
come up and process clients for a few days, but, every now and then it 
begins denying all auth-requests with the following error:

Apr 24 09:56:12 as2.villanova.edu radiusd[1033]: [ID 702911 
daemon.notice] Login incorrect (rlm_ldap: User not found): [anonymous] 
(from client VillanovaWireless port 5191 cli 000b.7d22.b3a9)
Apr 24 09:56:12 as2.villanova.edu radiusd[1033]: [ID 702911 
daemon.error] TLS Alert write:fatal:bad record mac
Apr 24 09:56:12 as2.villanova.edu radiusd[1033]: [ID 702911 
daemon.error] TLS_accept:error in SSLv3 read certificate verify A
Apr 24 09:56:12 as2.villanova.edu radiusd[1033]: [ID 702911 
daemon.error] rlm_eap: SSL error error:1408F119:SSL 
routines:SSL3_GET_RECORD:decryption failed or bad record mac
Apr 24 09:56:12 as2.villanova.edu radiusd[1033]: [ID 702911 
daemon.error] rlm_eap_tls: SSL_read failed in a system call (-1), TLS 
session fails.

A restart makes the server happy and it goes back to properly auth'ing 
clients...

As of the moment I'm compiling FreeRADIUS 1.1.6 and hoping for some 
improvement, but, does anyone have any additional advice or experience 
with this issue.  .. or better yet, does anyone know the fix? 

Thanks for your time!

..Sean.




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP server per realm

2007-04-16 Thread Sean McNamara 
Hello everyone,

I'm working on finding a way to define multiple local realms and have 
each have a unique ldap profile associated with them.We want one 
associated with a particular realm, and the other to be the 
catchall/default case.  In addition to this, we're also using EAP/TTLS, 
which may or not complicate the situation..  After googling a bit, I was 
under the impression that something along the following lines should work:
Here are the relevant parts of the the files I modified:

in proxy.conf:
realm VLS {
type= radius
authhost= LOCAL
accthost= LOCAL
}

in dictionary:
VALUE   Auth-Type   VU  1
VALUE   Auth-Type   VLS 2

VALUE   Autz-Type   VU  1
VALUE   Autz-Type   VLS 2

in users:
DEFAULT Domain == VLS, Autz-Type := VLS


in radiusd.conf:

ldap vlsldap {

set_auth_type = yes
}

ldap vuldap {

set_auth_type = yes
}

authorize {
...
...
Autz-Type VLS {
   vlsldap
}
vuldap

...
}

authenticate {
   ...
Auth-Type VLS {
vlsldap
}
vuldap
   ...
}


When I attempt to authenticate, regardless of whether I specify a realm 
or not, it only checks the vuldap servers.  Any suggestions would be 
greatly appreciated!

Thank you..

..Sean.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html