I'm not sure I'm doing the right steps for setup/configuration.
AD> See http://deployingradius.com AD> That contains detailed instructions for (a) starting from a AD> default config, and (b) having EAP / WiFi auth work.
Here's what is in my current eap [in FR 2.2.8] - though the eap.conf file isn't in the mods-available directory, it's in the main FR config dir. I suppose I could probably leave it that way, but I'm trying to do this the "new" way.
AD> Please don't move your v2 config to v3. Start with the default AD> configuration in v3, in a fresh v3 installation. Then, gradually AD> re-create the *functionality* piece by piece, with testing. The web page you point to isn't very helpful for EAP-TLS - at least the config portion, which is what I'm having issues with. But that said, I did get it working with the "old" eap config. However, I need some guidance in putting that into the new config layout/style. It looks like the eap section is pretty much unchanged, except for hollowing out tls{} and moving it all into tls-common{} and pointing the tls section at tls-common. Otherwise the config appears unchanged, really. So, does this look about right? [Obviously substituting the proper values for my setup.] --- eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} tls-config tls-common { private_key_password = whatever private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem ca_file = /etc/ssl/certs/ca-certificates.crt #auto_chain = yes #psk_identity = "test" #psk_hexphrase = "036363823" dh_file = ${certdir}/dh #random_file = /dev/urandom #fragment_size = 1024 #include_length = yes #check_crl = yes #check_all_crl = yes ca_path = ${cadir} #allow_expired_crl = no #check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" #check_cert_cn = %{User-Name} cipher_list = "DEFAULT" cipher_server_preference = no #disable_tlsv1_2 = no #disable_tlsv1_1 = no #disable_tlsv1 = no #tls_min_version = "1.0" #tls_max_version = "1.2" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 # hours #name = "EAP module" #persist_dir = "${logdir}/tlscache" } } tls { # Point to the common TLS configuration tls = tls-common } } ---