What I've got is listen { ipv6addr = * port = 2083 # # TCP and TLS sockets can accept Access-Request and # Accounting-Request on the same socket. # # auth = only Access-Request # acct = only Accounting-Request # auth+acct = both # type = auth+acct # For now, only TCP transport is allowed. proto = tcp # Send packets to the default virtual server virtual_server = default clients = radsec # # Connection limiting for sockets with "proto = tcp". # limit { # # Limit the number of simultaneous TCP connections to the socket # # The default is 16. # Setting this to 0 means "no limit" max_connections = 16 # The per-socket "max_requests" option does not exist. # # The lifetime, in seconds, of a TCP connection. After # this lifetime, the connection will be closed. # # Setting this to 0 means "forever". lifetime = 0 # # The idle timeout, in seconds, of a TCP connection. # If no packets have been received over the connection for # this time, the connection will be closed. # # Setting this to 0 means "no timeout". # # We STRONGLY RECOMMEND that you set an idle timeout. # idle_timeout = 30 } # This is *exactly* the same configuration as used by the EAP-TLS # module. It's OK for testing, but for production use it's a good # idea to use different server certificates for EAP and for RADIUS # transport. # # If you want only one TLS configuration for multiple sockets, # then we suggest putting "tls { ...}" into radiusd.conf. # The subsection below can then be changed into a reference: # # tls = ${tls} # # Which means "the tls sub-section is not here, but instead is in # the top-level section called 'tls'". # # If you have multiple tls configurations, you can put them into # sub-sections of a top-level "tls" section. There's no need to # call them all "tls". You can then use: # # tls = ${tls.site1} # # to refer to the "site1" sub-section of the "tls" section. # tls = ${tls.prodn2} } clients radsec { client 2a03:b0c0:1:a1::a9f:8001 { ipv6addr = 2a03:b0c0:1:a1::a9f:8001 proto = tls secret = radsec } client 127.0.0.1 { ipaddr = 127.0.0.1 proto = tls secret = radsec } } ....... On 21 July 2017 at 12:39, Alan DeKok <aland@deployingradius.com> wrote:
On Jul 21, 2017, at 6:34 AM, Alex Sharaz <alex.sharaz@york.ac.uk> wrote:
FR fails to start up with error
Fri Jul 21 10:19:24 2017 : Error: /usr/local/etc/freeradius/sites-enabled/tls[87]: Client does not have the same TLS configuration as the listener Fri Jul 21 10:19:24 2017 : Error: /usr/local/etc/freeradius/sites-enabled/tls[7]: Failed to load clients for this listen section
The listen section has tls enabled, but the client does not.
but all I've done is move the tls{..} contents into radiusd.conf tls {prodn2 {...}} and added a tls=${tls.prodn2} statement.
Hmm... maybe it's getting confused about tls as a sub-section versus a reference.
I'll take a look....
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html