On May 11, 2019, at 1:08 PM, Karim Benayed <benayed@gmail.com> wrote:
Hi, I am trying to setup Dynamic Client configuration where Redis is used to retrieve the secret, setup the FreeRADIUS-Client attributes and redirect for authentication.
The model is working perfectly for UDP with Dynamic Clients and for TCP/TLS non-dynamic clients.
The moment I enable Dynamic Clients against the TCP/TLS configuration, I get the following error:
In order to do TCP/TLS, the server has to do *full* TLS negotiation. Only then can it read any packets. The short answer is that it's not set up to do dynamic clients for TCP/TLS. Changing that isn't trivial. The simple solution is to just forbid dynamic clients when TCP/TLS is used. For TCP/TLS tho, you don't *need* dynamic clients. Just allow 0/0, and the require a known client certificate. If the certificate is OK, you don't really care where the packets come from. Alan DeKok.