unable to get local issuer certificate

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

unable to get local issuer certificate

Users mailing list
Hello, thank you for your time and effort.
I've been successfully using Freeradius3 for some years now for EAP-TLS. But now I've moved config directory (as I've done successfully in the past several times) over to a new installation. It's OpenBSD 6.8 and LibreSSL 3.2.2.

Again, the very SAME configuration (certs etc) have been successfully running on OpenBSD 6.6, but on 6.8 I'm getting SSL error "unable to get local issuer certificate".Complete piece of log output from $radiusd -X is attached. It's Freeradius 3.0.21. And the very SAME configuration directory (/etc/raddb) is used on another machine with Freeradius-3.0.21 successfully.
What could be the reason for this strange error? Here is the error part:
(5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
(5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(5) eap_tls:    --> /tmp/radiusd/radiusd.client.UCCKLTa6
(5) eap_tls: Program returned code (0) and output '/tmp/radiusd/radiusd.client.UCCKLTa6: OK'
(5) eap_tls: Client certificate CN guest1 passed external validation
(5) eap_tls: TLS - Creating attributes from certificate OIDs
(5) eap_tls:   TLS-Client-Cert-Serial := "04"
(5) eap_tls:   TLS-Client-Cert-Expiration := "271014045744Z"
(5) eap_tls:   TLS-Client-Cert-Valid-Since := "171016045744Z"
(5) eap_tls:   TLS-Client-Cert-Subject := "/CN=guest1"
(5) eap_tls:   TLS-Client-Cert-Issuer := "/CN=radius-ca"
(5) eap_tls:   TLS-Client-Cert-Common-Name := "guest1"
(5) eap_tls:   TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(5) eap_tls:   TLS-Client-Cert-X509v3-Subject-Key-Identifier += "0A:7C:1E:FF:76:49:92:23:E2:01:FC:0E:E2:4C:AD:A4:DF:D7:97:B3"
(5) eap_tls:   TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:99:FE:50:7E:22:CA:AB:8A:99:DB:BD:AB:F1:5C:7D:9D:13:9C:FB:15\nDirName:/CN=radius-ca\nserial:AD:E7:75:7D:9C:52:62:82\n"
(5) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication"
(5) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
(5) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}
(5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
(5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(5) eap_tls:    --> /tmp/radiusd/radiusd.client.UCCKLTa6
Error opening certificate file /tmp/radiusd/radiusd.client.UCCKLTa6
9739695490448:error:02FFF002:system library:func(4095):No such file or directory:/usr/src/lib/libcrypto/bio/bss_file.c:255:fopen('/tmp/radiusd/radiusd.client.UCCKLTa6', 'r')
9739695490448:error:20FFF002:BIO routines:CRYPTO_internal:system lib:/usr/src/lib/libcrypto/bio/bss_file.c:257:
unable to load certificate
(5) eap_tls: ERROR: Program returned code (2) and output ''
tls: Certificate CN (guest1) fails external verification!
....
Brief summary: /tmp/radiusd IS writable by _freeradius user -- I checked that explicitly by trying to write their by that user. Certificates ARE available in the certdir, which is clear from the string "eap_tls: Program returned code (0) and output '/tmp/radiusd/radiusd.client.UCCKLTa6: OK'". And in the full log attached here there appears message "unable to get local issuer certificate". All certificates were created by the same procedure... though I think I used easy-rsa instead of the Freeradius tools. Just don't remember that.

Thank you very much for your time!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unable to get local issuer certificate

Users mailing list
Ok, checked the same with certificate created using the /etc/raddb/certs folder from the distribution downloaded from the Freeradius site. I WAS able to create the needed certs + keys + client.p12 bundle for Android phone -- so far so good :)
But now the server returns the same error. So the problem was NOT in the certs/keys I supplied, but somewhere else.I wonder if that could be LibreSSL problem? OpenBSD is using that while FreeBSD uses OpenSSL and Freeradius works fine there.
And why does it validate user certificate TWICE? Here it is in the log:...........................
(5) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}
(5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
(5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(5) eap_tls:    --> /tmp/radiusd/radiusd.client.UCCKLTa6
(5) eap_tls: Program returned code (0) and output '/tmp/radiusd/radiusd.client.UCCKLTa6: OK'
(5) eap_tls: Client certificate CN guest1 passed external validation
(5) eap_tls: TLS - Creating attributes from certificate OIDs
(5) eap_tls:   TLS-Client-Cert-Serial := "04"
(5) eap_tls:   TLS-Client-Cert-Expiration := "271014045744Z"
(5) eap_tls:   TLS-Client-Cert-Valid-Since := "171016045744Z"
(5) eap_tls:   TLS-Client-Cert-Subject := "/CN=guest1"
(5) eap_tls:   TLS-Client-Cert-Issuer := "/CN=radius-ca"
(5) eap_tls:   TLS-Client-Cert-Common-Name := "guest1"
(5) eap_tls:   TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(5) eap_tls:   TLS-Client-Cert-X509v3-Subject-Key-Identifier += "0A:7C:1E:FF:76:49:92:23:E2:01:FC:0E:E2:4C:AD:A4:DF:D7:97:B3"
(5) eap_tls:   TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:99:FE:50:7E:22:CA:AB:8A:99:DB:BD:AB:F1:5C:7D:9D:13:9C:FB:15\nDirName:/CN=radius-ca\nserial:AD:E7:75:7D:9C:52:62:82\n"
(5) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication"
(5) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
(5) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}
(5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
(5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(5) eap_tls:    --> /tmp/radiusd/radiusd.client.UCCKLTa6
Error opening certificate file /tmp/radiusd/radiusd.client.UCCKLTa6
9739695490448:error:02FFF002:system library:func(4095):No such file or directory:/usr/src/lib/libcrypto/bio/bss_file.c:255:fopen('/tmp/radiusd/radiusd.client.UCCKLTa6', 'r')
9739695490448:error:20FFF002:BIO routines:CRYPTO_internal:system lib:/usr/src/lib/libcrypto/bio/bss_file.c:257:
unable to load certificate
(5) eap_tls: ERROR: Program returned code (2) and output ''



With kindest regards,
Kostya Berger
 
 

    On Tuesday, 15 December 2020, 17:14:47 GMT+3, Kostya Berger via Freeradius-Users <[hidden email]> wrote:  
 
 Hello, thank you for your time and effort.
I've been successfully using Freeradius3 for some years now for EAP-TLS. But now I've moved config directory (as I've done successfully in the past several times) over to a new installation. It's OpenBSD 6.8 and LibreSSL 3.2.2.

Again, the very SAME configuration (certs etc) have been successfully running on OpenBSD 6.6, but on 6.8 I'm getting SSL error "unable to get local issuer certificate".Complete piece of log output from $radiusd -X is attached. It's Freeradius 3.0.21. And the very SAME configuration directory (/etc/raddb) is used on another machine with Freeradius-3.0.21 successfully.
What could be the reason for this strange error? Here is the error part:
(5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
(5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(5) eap_tls:    --> /tmp/radiusd/radiusd.client.UCCKLTa6
(5) eap_tls: Program returned code (0) and output '/tmp/radiusd/radiusd.client.UCCKLTa6: OK'
(5) eap_tls: Client certificate CN guest1 passed external validation
(5) eap_tls: TLS - Creating attributes from certificate OIDs
(5) eap_tls:   TLS-Client-Cert-Serial := "04"
(5) eap_tls:   TLS-Client-Cert-Expiration := "271014045744Z"
(5) eap_tls:   TLS-Client-Cert-Valid-Since := "171016045744Z"
(5) eap_tls:   TLS-Client-Cert-Subject := "/CN=guest1"
(5) eap_tls:   TLS-Client-Cert-Issuer := "/CN=radius-ca"
(5) eap_tls:   TLS-Client-Cert-Common-Name := "guest1"
(5) eap_tls:   TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(5) eap_tls:   TLS-Client-Cert-X509v3-Subject-Key-Identifier += "0A:7C:1E:FF:76:49:92:23:E2:01:FC:0E:E2:4C:AD:A4:DF:D7:97:B3"
(5) eap_tls:   TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:99:FE:50:7E:22:CA:AB:8A:99:DB:BD:AB:F1:5C:7D:9D:13:9C:FB:15\nDirName:/CN=radius-ca\nserial:AD:E7:75:7D:9C:52:62:82\n"
(5) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication"
(5) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
(5) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}
(5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
(5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(5) eap_tls:    --> /tmp/radiusd/radiusd.client.UCCKLTa6
Error opening certificate file /tmp/radiusd/radiusd.client.UCCKLTa6
9739695490448:error:02FFF002:system library:func(4095):No such file or directory:/usr/src/lib/libcrypto/bio/bss_file.c:255:fopen('/tmp/radiusd/radiusd.client.UCCKLTa6', 'r')
9739695490448:error:20FFF002:BIO routines:CRYPTO_internal:system lib:/usr/src/lib/libcrypto/bio/bss_file.c:257:
unable to load certificate
(5) eap_tls: ERROR: Program returned code (2) and output ''
tls: Certificate CN (guest1) fails external verification!
....
Brief summary: /tmp/radiusd IS writable by _freeradius user -- I checked that explicitly by trying to write their by that user. Certificates ARE available in the certdir, which is clear from the string "eap_tls: Program returned code (0) and output '/tmp/radiusd/radiusd.client.UCCKLTa6: OK'". And in the full log attached here there appears message "unable to get local issuer certificate". All certificates were created by the same procedure... though I think I used easy-rsa instead of the Freeradius tools. Just don't remember that.

Thank you very much for your time!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unable to get local issuer certificate

Alan DeKok-2
On Dec 16, 2020, at 7:37 PM, Kostya Berger via Freeradius-Users <[hidden email]> wrote:
>
> Ok, checked the same with certificate created using the /etc/raddb/certs folder from the distribution downloaded from the Freeradius site. I WAS able to create the needed certs + keys + client.p12 bundle for Android phone -- so far so good :)
> But now the server returns the same error. So the problem was NOT in the certs/keys I supplied, but somewhere else.I wonder if that could be LibreSSL problem? OpenBSD is using that while FreeBSD uses OpenSSL and Freeradius works fine there.

  Well, that is likely it then.  :(

> And why does it validate user certificate TWICE?

  No idea.  Our "Verifying client certificate" code is in a callback.  i.e. we call LibreSSL / OpenSSL to do TLS magic, and it runs our callback whenever it chooses to run our callback.  We have no control over that.

> Here it is in the log:...........................
> (5) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}
> (5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
> (5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
> (5) eap_tls:    --> /tmp/radiusd/radiusd.client.UCCKLTa6
> (5) eap_tls: Program returned code (0) and output '/tmp/radiusd/radiusd.client.UCCKLTa6: OK'

  That's good.

> ...
> (5) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}

  That is weird.

> (5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
> (5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
> (5) eap_tls:    --> /tmp/radiusd/radiusd.client.UCCKLTa6
> Error opening certificate file /tmp/radiusd/radiusd.client.UCCKLTa6
> 9739695490448:error:02FFF002:system library:func(4095):No such file or directory:/usr/src/lib/libcrypto/bio/bss_file.c:255:fopen('/tmp/radiusd/radiusd.client.UCCKLTa6', 'r')
> 9739695490448:error:20FFF002:BIO routines:CRYPTO_internal:system lib:/usr/src/lib/libcrypto/bio/bss_file.c:257:
> unable to load certificate
> (5) eap_tls: ERROR: Program returned code (2) and output ''

  Hmm... the code which prints "Verifying client certificate" does:

* write cert to file
  * print error if we can't!
* print "verifying client certificate"
* run the program

  So there shouldn't be any code path where it runs the program, *and* the file doesn't exist.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: unable to get local issuer certificate

Users mailing list
In reply to this post by Users mailing list
Seems the problem is with OpenBSD Freeradius/SSL configuration.
I ended up running certs/bootstrap on the OpenBSD machine where Freeradius runs. THe resulting certificates work fine on a FreeBSD-based Freeradius server, but on OpenBSD I get this complaining about the "local issuer certificate".I just don't know what else I might check.

With kindest regards,
Kostya Berger
 
 

    On Thursday, 17 December 2020, 03:38:27 GMT+3, Kostya Berger via Freeradius-Users <[hidden email]> wrote:  
 
 Ok, checked the same with certificate created using the /etc/raddb/certs folder from the distribution downloaded from the Freeradius site. I WAS able to create the needed certs + keys + client.p12 bundle for Android phone -- so far so good :)
But now the server returns the same error. So the problem was NOT in the certs/keys I supplied, but somewhere else.I wonder if that could be LibreSSL problem? OpenBSD is using that while FreeBSD uses OpenSSL and Freeradius works fine there.
And why does it validate user certificate TWICE? Here it is in the log:...........................
(5) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}
(5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
(5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(5) eap_tls:    --> /tmp/radiusd/radiusd.client.UCCKLTa6
(5) eap_tls: Program returned code (0) and output '/tmp/radiusd/radiusd.client.UCCKLTa6: OK'
(5) eap_tls: Client certificate CN guest1 passed external validation
(5) eap_tls: TLS - Creating attributes from certificate OIDs
(5) eap_tls:   TLS-Client-Cert-Serial := "04"
(5) eap_tls:   TLS-Client-Cert-Expiration := "271014045744Z"
(5) eap_tls:   TLS-Client-Cert-Valid-Since := "171016045744Z"
(5) eap_tls:   TLS-Client-Cert-Subject := "/CN=guest1"
(5) eap_tls:   TLS-Client-Cert-Issuer := "/CN=radius-ca"
(5) eap_tls:   TLS-Client-Cert-Common-Name := "guest1"
(5) eap_tls:   TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(5) eap_tls:   TLS-Client-Cert-X509v3-Subject-Key-Identifier += "0A:7C:1E:FF:76:49:92:23:E2:01:FC:0E:E2:4C:AD:A4:DF:D7:97:B3"
(5) eap_tls:   TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:99:FE:50:7E:22:CA:AB:8A:99:DB:BD:AB:F1:5C:7D:9D:13:9C:FB:15\nDirName:/CN=radius-ca\nserial:AD:E7:75:7D:9C:52:62:82\n"
(5) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication"
(5) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
(5) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}
(5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
(5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(5) eap_tls:    --> /tmp/radiusd/radiusd.client.UCCKLTa6
Error opening certificate file /tmp/radiusd/radiusd.client.UCCKLTa6
9739695490448:error:02FFF002:system library:func(4095):No such file or directory:/usr/src/lib/libcrypto/bio/bss_file.c:255:fopen('/tmp/radiusd/radiusd.client.UCCKLTa6', 'r')
9739695490448:error:20FFF002:BIO routines:CRYPTO_internal:system lib:/usr/src/lib/libcrypto/bio/bss_file.c:257:
unable to load certificate
(5) eap_tls: ERROR: Program returned code (2) and output ''



With kindest regards,
Kostya Berger
 
 

    On Tuesday, 15 December 2020, 17:14:47 GMT+3, Kostya Berger via Freeradius-Users <[hidden email]> wrote: 
 
 Hello, thank you for your time and effort.
I've been successfully using Freeradius3 for some years now for EAP-TLS. But now I've moved config directory (as I've done successfully in the past several times) over to a new installation. It's OpenBSD 6.8 and LibreSSL 3.2.2.

Again, the very SAME configuration (certs etc) have been successfully running on OpenBSD 6.6, but on 6.8 I'm getting SSL error "unable to get local issuer certificate".Complete piece of log output from $radiusd -X is attached. It's Freeradius 3.0.21. And the very SAME configuration directory (/etc/raddb) is used on another machine with Freeradius-3.0.21 successfully.
What could be the reason for this strange error? Here is the error part:
(5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
(5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(5) eap_tls:    --> /tmp/radiusd/radiusd.client.UCCKLTa6
(5) eap_tls: Program returned code (0) and output '/tmp/radiusd/radiusd.client.UCCKLTa6: OK'
(5) eap_tls: Client certificate CN guest1 passed external validation
(5) eap_tls: TLS - Creating attributes from certificate OIDs
(5) eap_tls:   TLS-Client-Cert-Serial := "04"
(5) eap_tls:   TLS-Client-Cert-Expiration := "271014045744Z"
(5) eap_tls:   TLS-Client-Cert-Valid-Since := "171016045744Z"
(5) eap_tls:   TLS-Client-Cert-Subject := "/CN=guest1"
(5) eap_tls:   TLS-Client-Cert-Issuer := "/CN=radius-ca"
(5) eap_tls:   TLS-Client-Cert-Common-Name := "guest1"
(5) eap_tls:   TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(5) eap_tls:   TLS-Client-Cert-X509v3-Subject-Key-Identifier += "0A:7C:1E:FF:76:49:92:23:E2:01:FC:0E:E2:4C:AD:A4:DF:D7:97:B3"
(5) eap_tls:   TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:99:FE:50:7E:22:CA:AB:8A:99:DB:BD:AB:F1:5C:7D:9D:13:9C:FB:15\nDirName:/CN=radius-ca\nserial:AD:E7:75:7D:9C:52:62:82\n"
(5) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication"
(5) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
(5) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}
(5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
(5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(5) eap_tls:    --> /tmp/radiusd/radiusd.client.UCCKLTa6
Error opening certificate file /tmp/radiusd/radiusd.client.UCCKLTa6
9739695490448:error:02FFF002:system library:func(4095):No such file or directory:/usr/src/lib/libcrypto/bio/bss_file.c:255:fopen('/tmp/radiusd/radiusd.client.UCCKLTa6', 'r')
9739695490448:error:20FFF002:BIO routines:CRYPTO_internal:system lib:/usr/src/lib/libcrypto/bio/bss_file.c:257:
unable to load certificate
(5) eap_tls: ERROR: Program returned code (2) and output ''
tls: Certificate CN (guest1) fails external verification!
....
Brief summary: /tmp/radiusd IS writable by _freeradius user -- I checked that explicitly by trying to write their by that user. Certificates ARE available in the certdir, which is clear from the string "eap_tls: Program returned code (0) and output '/tmp/radiusd/radiusd.client.UCCKLTa6: OK'". And in the full log attached here there appears message "unable to get local issuer certificate". All certificates were created by the same procedure... though I think I used easy-rsa instead of the Freeradius tools. Just don't remember that.

Thank you very much for your time!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html