Setting up EAP-TLS as the ONLY authentication mechanism?

Alan DeKok aland at
Sat Mar 23 23:54:13 CET 2013

Thomas Hruska wrote:
> Since I only want EAP-TLS, output lines like the following bother me
> (I've inlined my concerns):
> Does FreeRADIUS really need to load all of those config files to
> function?

  No.  That's why they config files are editable.  So you can edit them.

>  That is, does it hurt in any way to load all of the module
> config files?

  I don't understand the question.  What can "hurt" about loading config

> What does this do?

  Read raddb/proxy.conf.  This is documented.  Extensively.

> All of this seems to be in proxy.conf.  It doesn't look like I need any
> of it but I'm not sure if it is safe to get rid of it/comment it out.

  Read proxy.conf.

> Again, this will be the only RADIUS server in the network and my
> understanding is that proxies are for forwarding requests to other
> RADIUS servers.  Given my setup, can I safely comment out the '$INCLUDE
> proxy.conf' line in 'radiusd.conf'?

  This is documented.  The comments above the line "$INCLUDE proxy.conf"
tell you.  And again, the reason the config files are text is so that
you can edit them.

  What's the worst that can happen?  If something goes wrong... just put
the text back.

> Not sure why I would need this either.  Based on the 'secret' string's
> value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm
> not 100% confident about that.

  No.  Clients have nothing to do with proxies.

  Do you plan on testing your server?  If so, that entry can be useful.

> Most of that seems irrelevant to EAP-TLS.  A certificate isn't exactly a
> password - it can expire, but the message "Password Has Expired" seems
> like it will never appear (or, if it does, it'll be confusing to a
> user).  I'm probably not going to use the 'logintime' features.  'exec'
> might be useful since I probably will use the external 'openssl' based
> 'verify' method in 'eap.conf' (unless someone can suggest a better
> approach).

  So... delete the things you're not using.  That's why there are
comments explaining what those modules do.  So you can learn, and think
for yourself.

> Even when 'default' was the only thing in 'sites-enabled', it loaded a
> bunch of stuff other than EAP-TLS.  I currently have nothing in
> 'sites-enabled' right now, but would like insight into what the
> configuration file should be to just do EAP-TLS.

  Read raddb/sites-enabled/default.

  Honestly, there is a *lot* of documentation on this included with the
config files.  I see no reason to cut & paste it here.  Instead, you
should find the time to readit.

> What do I need to do to set up FreeRADIUS so that it only supports

  Configure only EAP, and EAP-TLS.

>  Some of the stuff in 'eap.conf' is confusing.  I've commented
> out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left
> uncommented and set 'default_eap_type = tls', but I'm not sure if that
> is all I need to do.  Documentation on setting up an "EAP-TLS only"
> RADIUS server is limited.

  Nonsense.  I don't mean that there's lots of documentation on setting
up your exact desired configuration.  I mean it's nonsense to *expect*
that there will be lots of documentation on setting up your exact
desired configuration.

> What is the best method of setting it up so that only the router can
> communicate with the RADIUS server on port 1812?

  Firewalls.  Then, making sure that the server is only listening on
port 1812

  Most of these questions are "The server does A and B, but I only want
it to do A.  What do I do?"  And the answer is "edit the config files so
that it doesn't do B".

 You're looking for reassurance that editing the config files won't
cause the server to explode in flaming metal.  It won't.  Edit them.

  Alan DeKok.

More information about the Freeradius-Users mailing list