Setting up EAP-TLS as the ONLY authentication mechanism?
Thomas Hruska
thruska at cubiclesoft.com
Sat Mar 23 16:51:42 CET 2013
I want to set up FreeRADIUS using EAP-TLS only. I'm running Ubuntu
Server 12.04.2 LTS here with the packaged build of FreeRADIUS from the
default Ubuntu/Debian apt-get package repository. I'm finding junk
scattered all over the place for configuring this thing (typical), so my
first objective is to get FreeRADIUS into a locked-down state so that
'freeradius -X' doesn't return things that bother me (i.e. pared back to
minimal functionality first).
Since I only want EAP-TLS, output lines like the following bother me
(I've inlined my concerns):
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 24
2012 at 17:58:57
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
...
including configuration file /etc/freeradius/modules/pam
...
including configuration file /etc/freeradius/modules/chap
...
^^^^^^^
Does FreeRADIUS really need to load all of those config files to
function? That is, does it hurt in any way to load all of the module
config files? From what I can tell, they don't seem to be relevant
until they are instantiated later on, but I would appreciate confirmation.
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
^^^^^
What does this do? I don't think I need a proxy server. My setup is
just a consumer router plus a single Ubuntu box with FreeRADIUS on it.
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
^^^^^
All of this seems to be in proxy.conf. It doesn't look like I need any
of it but I'm not sure if it is safe to get rid of it/comment it out.
Again, this will be the only RADIUS server in the network and my
understanding is that proxies are for forwarding requests to other
RADIUS servers. Given my setup, can I safely comment out the '$INCLUDE
proxy.conf' line in 'radiusd.conf'?
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
^^^^^
Not sure why I would need this either. Based on the 'secret' string's
value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm
not 100% confident about that.
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
^^^^^^
Most of that seems irrelevant to EAP-TLS. A certificate isn't exactly a
password - it can expire, but the message "Password Has Expired" seems
like it will never appear (or, if it does, it'll be confusing to a
user). I'm probably not going to use the 'logintime' features. 'exec'
might be useful since I probably will use the external 'openssl' based
'verify' method in 'eap.conf' (unless someone can suggest a better
approach).
radiusd: #### Loading Virtual Servers ####
...
^^^^^^
Even when 'default' was the only thing in 'sites-enabled', it loaded a
bunch of stuff other than EAP-TLS. I currently have nothing in
'sites-enabled' right now, but would like insight into what the
configuration file should be to just do EAP-TLS.
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
^^^^^^
Again, I don't think I need a proxy and I'm not sure what the
'accounting' port is for. My policy is that "fewer open ports is
better". So do I really want/need all of this?
A few additional questions of where I'm currently a bit stuck:
What do I need to do to set up FreeRADIUS so that it only supports
EAP-TLS? Some of the stuff in 'eap.conf' is confusing. I've commented
out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left
uncommented and set 'default_eap_type = tls', but I'm not sure if that
is all I need to do. Documentation on setting up an "EAP-TLS only"
RADIUS server is limited.
What is the best method of setting it up so that only the router can
communicate with the RADIUS server on port 1812?
Sorry for the long post.
--
Thomas Hruska
CubicleSoft President
I've got great, time saving software that you might find useful.
http://cubiclesoft.com/
More information about the Freeradius-Users
mailing list