TLS configuration

Matthew Newton mcn4 at
Wed Feb 8 01:07:51 CET 2012


On Tue, Feb 07, 2012 at 08:40:33AM +0100, Alan DeKok wrote:
> Matthew Newton wrote:
> >   ... so why is the TLS config all inside EAP-TLS, and
> >   mysteriously PEAP and TTLS use EAP-TLS's config?
>   Because they all use TLS.  And because you want the server to appear
> as one RADIUS server.  Having a shared configuration makes that easier.
>   The alternative would be to configure TLS *separately* for PEAP and
> TTLS.  When the user switches from PEAP to TTLS, a "new server" warning
> pops up, along with a new certificate.  That's not nice.

Hmm - agreed on this point. Maybe our confusion, then, is that
there is (logically, I'm not talking about the underlying code):

  TLS configuration, used by EAP-TLS, PEAP, TTLS because they all do TLS

yet the configuration implies:

  EAP-TLS, which is used by PEAP and TTLS.

The fact is that you have to configure EAP-TLS so that you can use
the PEAP/TTLS, even if you don't want to actually use the EAP-TLS
type itself.

> > In the main top-level config in radiusd.conf, have a new 'tls'
> > section, that might look something like this:
>   The difficulty is that it doesn't follow the module format of the
> server.  It mixes module configuration, "listen" section configuration,
> and has configuration for different virtual servers in one place.

OK, maybe that isn't such a good way to clarify it. Like you say,
it would move configuration to different places and may make it
harder to follow. Thinking more about it, maybe just this would
make it easier to understand:

eap {


   common-tls {
     private_key_file = ...
     certificate_file = ...

   md5 {

   tls {

   peap {

   ttls {


So the "TLS" bit is split from the EAP-TLS type. To disable
EAP-TLS, you'd just comment out the tls{} section, just like any
other EAP type, but leave the common-tls section for PEAP/TTLS to

I guess as an extreme, the TLS options could even be directly in
the eap section rather than in a sub-section, as all eap types
requiring TLS in that instantiation will use the same TLS settings
(i.e. they're actually 'global'). But it seems tidier for them to
be grouped together.

>   See src/modules/rlm_eap/eap.c.  Look for "TLS".  Knowledge that
> TTLS/PEAP uses TLS is hard-coded into the EAP module.  Changing that is
> difficult.

Yeah, I can see how PEAP/TTLS use the underlying EAP-TLS code -
that makes a lot of sense. It's the fact that that code structure
percolates up into the configuration.

I admit, now that we know how it works, it's easy to configure,
but I've now been doing this for over a year. Things are always
easy when you know how! Initially it was a right pig to
understand... "but I don't *want* EAP-TLS (and I want to guarantee
it can never work)" :-)

Just trying to explore if there is any way the config can be
updated/simplified to remove that initial confusion!



Matthew Newton, Ph.D. <mcn4 at>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Devel mailing list