So, I've got a current FR setup, version 2.2.8 [although the last time I've done this was under a 1.x FR version - these configs are under an upgraded distro version - so the newer FR setups are somewhat confusing for me. This is all under Ubuntu - this setup started life as a 12.04 (IIRC) setup, and got upgraded to 16.04. I'm now trying to migrate it to a fresh setup on 18.04.] I'm trying to move it to a new FR setup under 3.0.16. It's a Wifi WPA setup - using EAP-TLS with certificates/key only. [Not PEAP etc.] And I'm having trouble. Rather than have you look at a debug - perhaps I should start here. I'm not sure I'm doing the right steps for setup/configuration. Moving clients.conf is obvious. [Though I've added the newer "ipaddr" to them.] I have created new certs/keys/ca - and I'm pretty sure I've done that correctly. [Lets assume I have for now - we'll come back to that later, if needed. I can always test with the old certs/keys too, because I know those work. I'm using GNUTLS to handle CA/Cert/Key creation, and I know I need to add the OID's for "server" and "client" as applicable. And I've verified these are present in the relevant certs.] Now, to where I'm quite unsure... I need to edit the EAP configuration in ./mods-available, and create a link to it in ./mods-enabled - right? --- Here's what is in my current eap [in FR 2.2.8] - though the eap.conf file isn't in the mods-available directory, it's in the main FR config dir. I suppose I could probably leave it that way, but I'm trying to do this the "new" way. --- eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 #md5 { #} # #leap { #} # #gtc { # auth_type = PAP #} tls { certdir = ${confdir}/certs cadir = ${confdir}/certs #private_key_password = whatever private_key_file = ${certdir}/radius.somedom.local.key certificate_file = ${certdir}/radius.somedom.local.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = /dev/urandom CA_path = ${cadir} check_crl = yes cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no lifetime = 24 # hours max_entries = 255 } verify { } } #ttls { # default_eap_type = md5 # copy_request_to_tunnel = no # use_tunneled_reply = no # virtual_server = "inner-tunnel" #} #peap { # default_eap_type = mschapv2 # copy_request_to_tunnel = no # use_tunneled_reply = no # virtual_server = "inner-tunnel" #} #mschapv2 { #} } --- Though to start, I think I'll avoid checking a CRL - just to keep things simple. Do, I just essentially paste this config straight into the new one? [I don't think so - there's a new section "tls-config tls-common" and I'm unsure about that.] I don't believe there are any changes I made previously [or need to make now] to radiusd.conf? Is there anything else I need to do? Thanks in advance! -Greg