Setting up EAP-TLS as the ONLY authentication mechanism?

Thomas Hruska thruska at
Sat Mar 23 16:51:42 CET 2013

I want to set up FreeRADIUS using EAP-TLS only.  I'm running Ubuntu 
Server 12.04.2 LTS here with the packaged build of FreeRADIUS from the 
default Ubuntu/Debian apt-get package repository.  I'm finding junk 
scattered all over the place for configuring this thing (typical), so my 
first objective is to get FreeRADIUS into a locked-down state so that 
'freeradius -X' doesn't return things that bother me (i.e. pared back to 
minimal functionality first).

Since I only want EAP-TLS, output lines like the following bother me 
(I've inlined my concerns):

FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 24 
2012 at 17:58:57
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/chap

Does FreeRADIUS really need to load all of those config files to 
function?  That is, does it hurt in any way to load all of the module 
config files?  From what I can tell, they don't seem to be relevant 
until they are instantiated later on, but I would appreciate confirmation.

radiusd: #### Loading Realms and Home Servers ####
  proxy server {
         retry_delay = 5
         retry_count = 3
         default_fallback = no
         dead_time = 120
         wake_all_if_all_dead = no

What does this do?  I don't think I need a proxy server.  My setup is 
just a consumer router plus a single Ubuntu box with FreeRADIUS on it.

  home_server localhost {
         ipaddr =
         port = 1812
         type = "auth"
         secret = "testing123"
         response_window = 20
         max_outstanding = 65536
         require_message_authenticator = yes
         zombie_period = 40
         status_check = "status-server"
         ping_interval = 30
         check_interval = 30
         num_answers_to_alive = 3
         num_pings_to_alive = 3
         revive_interval = 120
         status_check_timeout = 4
         irt = 2
         mrt = 16
         mrc = 5
         mrd = 30
  home_server_pool my_auth_failover {
         type = fail-over
         home_server = localhost
  realm {
         auth_pool = my_auth_failover
  realm LOCAL {

All of this seems to be in proxy.conf.  It doesn't look like I need any 
of it but I'm not sure if it is safe to get rid of it/comment it out. 
Again, this will be the only RADIUS server in the network and my 
understanding is that proxies are for forwarding requests to other 
RADIUS servers.  Given my setup, can I safely comment out the '$INCLUDE 
proxy.conf' line in 'radiusd.conf'?

radiusd: #### Loading Clients ####
  client localhost {
         ipaddr =
         require_message_authenticator = no
         secret = "testing123"
         nastype = "other"

Not sure why I would need this either.  Based on the 'secret' string's 
value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm 
not 100% confident about that.

radiusd: #### Instantiating modules ####
  instantiate {
  Module: Linked to module rlm_exec
  Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
   exec {
         wait = no
         input_pairs = "request"
         shell_escape = yes
  Module: Linked to module rlm_expr
  Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
  Module: Linked to module rlm_expiration
  Module: Instantiating module "expiration" from file 
   expiration {
         reply-message = "Password Has Expired  "
  Module: Linked to module rlm_logintime
  Module: Instantiating module "logintime" from file 
   logintime {
         reply-message = "You are calling outside your allowed timespan  "
         minimum-timeout = 60

Most of that seems irrelevant to EAP-TLS.  A certificate isn't exactly a 
password - it can expire, but the message "Password Has Expired" seems 
like it will never appear (or, if it does, it'll be confusing to a 
user).  I'm probably not going to use the 'logintime' features.  'exec' 
might be useful since I probably will use the external 'openssl' based 
'verify' method in 'eap.conf' (unless someone can suggest a better 

radiusd: #### Loading Virtual Servers ####

Even when 'default' was the only thing in 'sites-enabled', it loaded a 
bunch of stuff other than EAP-TLS.  I currently have nothing in 
'sites-enabled' right now, but would like insight into what the 
configuration file should be to just do EAP-TLS.

radiusd: #### Opening IP addresses and Ports ####
listen {
         type = "auth"
         ipaddr = *
         port = 0
listen {
         type = "acct"
         ipaddr = *
         port = 0
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.

Again, I don't think I need a proxy and I'm not sure what the 
'accounting' port is for.  My policy is that "fewer open ports is 
better".  So do I really want/need all of this?

A few additional questions of where I'm currently a bit stuck:

What do I need to do to set up FreeRADIUS so that it only supports 
EAP-TLS?  Some of the stuff in 'eap.conf' is confusing.  I've commented 
out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left 
uncommented and set 'default_eap_type = tls', but I'm not sure if that 
is all I need to do.  Documentation on setting up an "EAP-TLS only" 
RADIUS server is limited.

What is the best method of setting it up so that only the router can 
communicate with the RADIUS server on port 1812?

Sorry for the long post.

Thomas Hruska
CubicleSoft President

I've got great, time saving software that you might find useful.

More information about the Freeradius-Users mailing list