Spoke too soon Unpacked and built FR 4.0 from git symbolic linked tls, default,.buffered-sql and inner-tunnel from sites-available to sites-enabled ran /usr/local/sbin/radiusd -d /etc/freeradius -X -l /var/log/freeradius/radius.log > /var/log/freeradius/radius.log and got Error : /etc/freeradius/sites-enabled/tls[7]: Listeners of type 'auth+acct' MUST be defined in a server. Edited tls to add server tls {....} and got Dec 2 16:20:56 2016 : Debug : cipher_list = "DEFAULT" Fri Dec 2 16:20:56 2016 : Debug : cipher_server_preference = yes Fri Dec 2 16:20:56 2016 : Debug : allow_renegotiation = no Fri Dec 2 16:20:56 2016 : Debug : require_client_cert = yes Fri Dec 2 16:20:56 2016 : Debug : ecdh_curve = "prime256v1" Fri Dec 2 16:20:56 2016 : Debug : cache { Fri Dec 2 16:20:56 2016 : Debug : lifetime = 24 Fri Dec 2 16:20:56 2016 : Debug : verify = no Fri Dec 2 16:20:56 2016 : Error : /etc/freeradius/sites-enabled/tls[253]: Configuration pair "enable" is deprecated commented out #enable = no ran again Fri Dec 2 16:21:51 2016 : Debug : auto_chain = yes Fri Dec 2 16:21:51 2016 : Debug : check_crl = no Fri Dec 2 16:21:51 2016 : Debug : cipher_list = "DEFAULT" Fri Dec 2 16:21:51 2016 : Debug : cipher_server_preference = yes Fri Dec 2 16:21:51 2016 : Debug : allow_renegotiation = no Fri Dec 2 16:21:51 2016 : Debug : require_client_cert = yes Fri Dec 2 16:21:51 2016 : Debug : ecdh_curve = "prime256v1" Fri Dec 2 16:21:51 2016 : Debug : cache { Fri Dec 2 16:21:51 2016 : Debug : lifetime = 24 Fri Dec 2 16:21:51 2016 : Debug : verify = no Fri Dec 2 16:21:51 2016 : Error : /etc/freeradius/sites-enabled/tls[269]: Configuration pair "max_entries" is deprecated commented out # # The maximum number of entries in the # cache. Set to "0" for "infinite". # # This could be set to the number of users # who are logged in... which can be a LOT. # #max_entries = 255 and got Fri Dec 2 16:22:46 2016 : Debug : staple { Fri Dec 2 16:22:46 2016 : Debug : enable = no Fri Dec 2 16:22:46 2016 : Debug : override_cert_url = no Fri Dec 2 16:22:46 2016 : Debug : use_nonce = yes Fri Dec 2 16:22:46 2016 : Debug : timeout = 0 Fri Dec 2 16:22:46 2016 : Debug : softfail = no Fri Dec 2 16:22:46 2016 : Debug : } Fri Dec 2 16:22:46 2016 : Debug : } Fri Dec 2 16:22:46 2016 : Debug : limit { Fri Dec 2 16:22:46 2016 : Debug : max_connections = 16 Fri Dec 2 16:22:46 2016 : Debug : lifetime = 0 Fri Dec 2 16:22:46 2016 : Debug : idle_timeout = 30 Fri Dec 2 16:22:46 2016 : Debug : } Fri Dec 2 16:22:46 2016 : Debug : clients = "radsec" Fri Dec 2 16:22:46 2016 : Error : /etc/freeradius/sites-enabled/tls[8]: Failed to find clients radsec {...} but further down in tls we have listen { ipaddr = * port = 2083 # # TCP and TLS sockets can accept Access-Request and # Accounting-Request on the same socket. # # auth = only Access-Request # acct = only Accounting-Request # auth+acct = both # type = auth+acct # For now, only TCP transport is allowed. proto = tcp # Send packets to the default virtual server virtual_server = default clients = radsec # # Connection limiting for sockets with "proto = tcp". # limit { limit { # # Limit the number of simultaneous TCP connections to the socket # # The default is 16. # Setting this to 0 means "no limit" max_connections = 16 # The per-socket "max_requests" option does not exist. # # The lifetime, in seconds, of a TCP connection. After # this lifetime, the connection will be closed. # # Setting this to 0 means "forever". lifetime = 0 # # The idle timeout, in seconds, of a TCP connection. # If no packets have been received over the connection for # this time, the connection will be closed. # # Setting this to 0 means "no timeout". # # We STRONGLY RECOMMEND that you set an idle timeout. # idle_timeout = 30 } # This is *exactly* the same configuration as used by the EAP-TLS # module. It's OK for testing, but for production use it's a good # idea to use different server certificates for EAP and for RADIUS # transport. # # If you want only one TLS configuration for multiple sockets, # then we suggest putting "tls { ...}" into radiusd.conf. # The subsection below can then be changed into a reference: # # tls = ${tls} # # Which means "the tls sub-section is not here, but instead is in # the top-level section called 'tls'". # # If you have multiple tls configurations, you can put them into # sub-sections of a top-level "tls" section. There's no need to # call them all "tls". You can then use: # # tls = ${tls.site1} # # to refer to the "site1" sub-section of the "tls" section. # tls { private_key_password = whatever private_key_file = ${certdir}/server.pem # If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. # # If ca_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all ..... # in the directory when the server starts. # tmpdir = /tmp/radiusd # The command used to verify the client cert. # We recommend using the OpenSSL command-line # tool. # # The ${..ca_path} text is a reference to # the ca_path variable defined above. # # The %{TLS-Client-Cert-Filename} is the name # of the temporary file containing the cert # in PEM format. This file is automatically # deleted by the server when the command # returns. # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" } } } clients radsec { client 127.0.0.1 { ipaddr = 127.0.0.1 # # Ensure that this client is TLS *only*. # proto = tls ....... # # TCP clients can have any shared secret. # # TLS clients MUST have the shared secret # set to "radsec". Or, for "proto = tls", # you can omit the secret, and it will # automatically be set to "radsec". # secret = radsec # # You can also use a "limit" section here. # See raddb/clients.conf for examples. # # Note that BOTH limits are applied. You # should therefore set the "listen" limits # higher than the ones for each individual # client. # } } home_server tls { ipaddr = 127.0.0.1 port = 2083 ..... I know you said I didn't need the server blockbut without it can't even get as far as I did with the standard raddb configs A On 2 December 2016 at 13:52, Alex Sharaz <alex.sharaz@york.ac.uk> wrote:
So it does thx A
On 2 December 2016 at 13:47, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 2, 2016, at 8:04 AM, Alex Sharaz <alex.sharaz@york.ac.uk> wrote:
Once I wrapped the supplied example in "server tls {....} "
Why would you do that?
Get a "Failed to find clients radsec {..} message" even though the config is there.
The example works as-is. You don't need to wrap it in a "server tls" section.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html