Building Debian FreeRadius package with EAP/TLS/TTLS/PEAP support

Debian's FreeRadius package is built without support for EAP/TLS/TTLS/PEAP because of the licensing problems of the OpenSSL library. But, if you want to implement 802.1x network authentication with strong security, you'll need it. This is a short tutorial that explains how to build Debian (sid aka unstable) package linked to libssl and with EAP/TLS/TTLS/PEAP support compiled in.

First, download the newest source package (orig.tar.gz), Debian diffs (diff.gz) and description file (dsc) from the freeradius package page. The version I tested the procedure with is 1.1.7-1.

Unpack the source and switch to the resulting directory like this:

% dpkg-source -x *.dsc
dpkg-source: extracting freeradius in freeradius-1.1.7
dpkg-source: unpacking freeradius_1.1.7.orig.tar.gz
dpkg-source: applying ./freeradius_1.1.7-1.diff.gz
% cd freeradius-*

There are four changes that must be done in order to successfully build the package:

  1. edit debian/rules, search for eap and change every mentioning of --without-rlm_eap-* to --with-rlm_eap-*
  2. few lines below, in the same file, replace --without-openssl with --with-openssl
  3. still editing the same file, find the following chuck of code and delete it entirely:
    for pkg in $(shell grep ^Package debian/control | awk '{print $$2}') ; d
    o \
      if dh_shlibdeps -p $$pkg -- -O | grep -q libssl; then \
        echo "$$pkg links to openssl" ;\
        exit 1 ;\
      fi ;\
    done
  4. finally, edit debian/control and at the end of the line starting with Build-Depends: (second line in the file) add , libssl-dev

That should do it, you can now build package like this:

% dpkg-buildpackage -rfakeroot

You're doing all the above steps as a normal user, and if everything goes well, you'll find 8 debian packages in the parent directory which you can now install. Don't forget to hold newly installed packages in your package manager so that you don't experience breakage when you pull upgrades next time, and new official versions (without EAP/TLS/TTLS/PEAP support) overwrite your custom built packages.

If all that is too much work for you, you can try the attached patch:

% patch -p1 < freeradius-openssl.patch
patching file debian/control
patching file debian/rules

It'll work flawlessly with 1.1.7-1, but your mileage will vary with different versions, that's why everything is explained above.

AttachmentSize
freeradius-openssl.patch2.01 KB
freeradius-2.0.3-openssl.patch1.94 KB

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Update for Debian Lenny and freeradius 2.0.4-2

Thanks for this info, I verified this description with 2.0.4-2 in Debian lenny, with modifications. They are as follows:

To make the buildpackage work I had to set these in debian/rules:
--without-rlm_eap_ikev2
--without-rlm_eap_tnc
I didn't need them (I think) and I didn't know what packages I needed to support these options anyway (suggestions anyone?).

You need to comment this out of debian/rules (step 3):

for pkg in ${pkgs} ; do \
if dh_shlibdeps -p $$pkg -- -O 2>/dev/null | grep -q libssl; then \
echo "$$pkg links to openssl" ;\
exit 1 ;\
fi ;\
done

Finally, I needed to install piles of packages before running "dpkg-buildpackage -rfakeroot":

# apt-get install libssl-dev debhelper libgdbm-dev libiodbc2-dev libkrb5-dev libldap2-dev libltdl3-dev libmysqlclient15-dev libpam0g-dev libpcap-dev libperl-dev libpq-dev libsasl2-dev libsnmp-dev python-dev

I got a errors on shared files in freeradius and freeradius-common:

dpkg: error processing freeradius_2.0.4-2_i386.deb (--install):
trying to overwrite `/usr/share/man/man1/radlast.1.gz', which is also in package freeradius-common

So I force installed them:

# dpkg -i --force-all freeradius-common_2.0.4-2_all.deb freeradius_2.0.4-2_i386.deb

Then nicely installed the other packages that I wanted:

# dpkg -i freeradius-dbg_2.0.4-2_i386.deb freeradius-iodbc_2.0.4-2_i386.deb freeradius-krb5_2.0.4-2_i386.deb freeradius-ldap_2.0.4-2_i386.deb freeradius-mysql_2.0.4-2_i386.deb freeradius-postgresql_2.0.4-2_i386.deb freeradius-utils_2.0.4-2_i386.deb libfreeradius-dev_2.0.4-2_i386.deb libfreeradius2_2.0.4-2_i386.deb

To hold the packages, as suggested after step 4, I used the command:
# aptitude hold freeradius-common freeradius freeradius-dbg freeradius-iodbc freeradius-krb5 freeradius-ldap freeradius-mysql freeradius-postgresql freeradius-utils libfreeradius-dev libfreeradius2

Then you can see that they are in the "hold" state when you use aptitude. Although for some reason they appear in the "install" state when you use:
# dpkg --get-selections freer*
Probably why they say you shouldn't mix and match dpkg and apt.

More info about package management here:
http://www.debian.org/doc/FAQ/ch-pkg_basics.en.html

instead of : # apt-get

instead of :
# apt-get install libssl-dev debhelper libgdbm-dev libiodbc2-dev libkrb5-dev libldap2-dev libltdl3-dev libmysqlclient15-dev libpam0g-dev libpcap-dev libperl-dev libpq-dev libsasl2-dev libsnmp-dev python-dev

you can use :
# apt-get build-dep freeradius
# apt-get install libssl-dev

One more thing

Remember to
apt-get install fakeroot

before running "dpkg-buildpackage -rfakeroot"

Updated patch for FreeRadius 2.0.3-1

As version 2.0.3-1 emerged into unstable, I noticed that the old patch fails miserably. But, it is still OK to follow the above steps to get to the working FreeRadius with EAP/TLS support. So I did it right away to help you all. With one small additional change, I changed debian/control to build-depend on libpcap0.8-dev instead of libpcap-dev. The latter one is now obsolete.

freeradius-2.0.3-openssl.patch

freeradius 2.1.0

Hi

I have been trying to follow this guide for 2.1.0 version without succeed so far...the point is when i get my package i run dp kg-i *.deb but what i got in the freeradius folder is only the fo lders certs modules sites-availables site-enableand sql but not the configurations files normally located at the root of the folder...could some help me out ? many thanks

Freeradius TTLS authentication failure

Hello linportal,

I am getting up a Freeradius server with ttls support. I have built the Debian package with ttls support but when I try to test it I get the following output:

#freeradius -X
Starting - reading configuration files ...

[...]

Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32775, id=187, length=56
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
Segmentation fault
#

I don't know what is the problem, I have been surfing Internet and I have not found any resources to resolve
the failure,

Please, could you help me?

I look forward to hearing from you soon.

Respectfully,

Jose Antonio.

Segmentation fault means

Segmentation fault means there's a serious bug in the freeradius, which you should report on the official FreeRadius Bug Database page.