Zeitslot heute mittag:
- snapshot des Servers
- FreeRADIUS Packages | NetworkRADIUS befolgt, bis kurz vor dem update
- Vor dem Update auf freeradius 3.2 sah der misslungene Versuch mit der Windows-Kiste (vermutlich Win11 v22H2, hab ich nicht gecheckt) so aus:
service freeradius debug
...
2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x5aded75b5b10ce51
(2) eap: Finished EAP session with state 0x5aded75b5b10ce51
(2) eap: Previous EAP request found for state 0x5aded75b5b10ce51, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 251 bytes
(2) eap_peap: Got complete TLS record (251 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 00f6]
(2) eap_peap: TLS_accept: SSLv3/TLS read client hello
(2) eap_peap: >>> send UNKNOWN TLS VERSION ?0304? [length 0058]
(2) eap_peap: TLS_accept: SSLv3/TLS write server hello
(2) eap_peap: >>> send UNKNOWN TLS VERSION ?0304? [length 0001]
(2) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(2) eap_peap: TLS_accept: TLSv1.3 early data
(2) eap_peap: TLS_accept: Need to read more data: TLSv1.3 early data
(2) eap_peap: In SSL Handshake Phase
(2) eap_peap: In SSL Accept mode
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 207 length 105
(2) eap: EAP session adding &reply:State = 0x5aded75b5811ce51
nach dem Update auf 3.2 dann mit dem gleichen Gerät so:
service freeradius debug
...
(2) # Executing group from file /etc/freeradius/3.2/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xb3d88663b2ef9f6e
(2) eap: Finished EAP session with state 0xb3d88663b2ef9f6e
(2) eap: Previous EAP request found for state 0xb3d88663b2ef9f6e, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: (TLS) EAP Peer says that the final record size will be 247 bytes
(2) eap_peap: (TLS) EAP Got all data (247 bytes)
(2) eap_peap: (TLS) Handshake state - before SSL initialization
(2) eap_peap: (TLS) Handshake state - Server before SSL initialization
(2) eap_peap: (TLS) Handshake state - Server before SSL initialization
(2) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello
(2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read client hello
(2) eap_peap: (TLS) send TLS 1.2 Handshake, ServerHello
(2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server hello
(2) eap_peap: (TLS) send TLS 1.2 Handshake, Certificate
(2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write certificate
(2) eap_peap: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write key exchange
(2) eap_peap: (TLS) send TLS 1.2 Handshake, ServerHelloDone
(2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server done
(2) eap_peap: (TLS) Server : Need to read more data: SSLv3/TLS write server done
(2) eap_peap: (TLS) In Handshake Phase
(2) eap: Sending EAP Request (code 1) ID 56 length 1004
(2) eap: EAP session adding &reply:State = 0xb3d88663b1e09f6e
yeah!
Ich muss in Ruhe noch testen, ob die Konfigurationen beim Laden dieselben sind (sieht man oben in den debug meldungen).
Konfigurationstechnisch musste ich „nur“ folgendes machen:
root@server /etc # git diff default/freeradius
diff --git a/default/freeradius b/default/freeradius
index ac4cb68..43b1e83 100644
--- a/default/freeradius
+++ b/default/freeradius
@@ -1,7 +1,6 @@
# Options passed to the FreeRADIUS deamon.
#
-FREERADIUS_OPTIONS=""
-
+FREERADIUS_OPTIONS="-d /etc/freeradius/3.2"
# If FreeRADIUS is being used on a SysVinit system
# and FREERADIUS_OPTIONS has not been set and the
@@ -13,3 +12,4 @@ FREERADIUS_OPTIONS=""
#
FREERADIUS_CONF_LOCAL="/usr/local/etc/freeradius"
außerdem habe ich vorsichtshalber (nach dem debian-upgrade) die konfiguration kopiert.
mkdir /etc/freeradius/3.2
chown freerad /etc/freeradius/3.2
rsync -avP /etc/freeradius/3.0/ /etc/freeradius/3.2/
VG, Tobias