Dynamic Client and TCP/TLS
aland at deployingradius.com
Sat May 11 22:40:51 CEST 2019
On May 11, 2019, at 1:08 PM, Karim Benayed <benayed at gmail.com> wrote:
> Hi, I am trying to setup Dynamic Client configuration where Redis is used
> to retrieve the secret, setup the FreeRADIUS-Client attributes and redirect
> for authentication.
> The model is working perfectly for UDP with Dynamic Clients and for TCP/TLS
> non-dynamic clients.
> The moment I enable Dynamic Clients against the TCP/TLS configuration, I
> get the following error:
In order to do TCP/TLS, the server has to do *full* TLS negotiation. Only then can it read any packets.
The short answer is that it's not set up to do dynamic clients for TCP/TLS. Changing that isn't trivial.
The simple solution is to just forbid dynamic clients when TCP/TLS is used.
For TCP/TLS tho, you don't *need* dynamic clients. Just allow 0/0, and the require a known client certificate. If the certificate is OK, you don't really care where the packets come from.
More information about the Freeradius-Users