Setting up EAP-TLS as the ONLY authentication mechanism?

Thomas Hruska thruska at cubiclesoft.com
Sun Mar 24 04:32:59 CET 2013 

On 3/23/2013 3:54 PM, Alan DeKok wrote:
> Thomas Hruska wrote:
<snip>
>    Read proxy.conf.

[Sigh]  I have.  It doesn't make sense to me.  Why enable it as a 
default if it isn't necessary for basic functionality?  Hopefully you 
can see how the average user might be confused, "Hey the authors enabled 
this by default.  Maybe there is a very important reason for that.  I'll 
go ahead and leave it alone because they know better."  But I see an 
open port and wonder if it is actually necessary.  So I figured I would 
ask to obtain some knowledge of why it is enabled by default, hence the 
original questions.  Here's the text from 'radiusd.conf':

# PROXY CONFIGURATION
#
#  proxy_requests: Turns proxying of RADIUS requests on or off.
#
#  The server has proxying turned on by default.  If your system is NOT
#  set up to proxy requests to another server, then you can turn proxying
#  off here.  This will save a small amount of resources on the server.
#
#  If you have proxying turned off, and your configuration files say
#  to proxy a request, then an error message will be logged.
#
#  To disable proxying, change the "yes" to "no", and comment the
#  $INCLUDE line.
#
#  allowed values: {no, yes}
#


Nowhere in there does it explain why proxying is on by default.  It just 
says that it can be turned off.  I want to know why it is on by default 
in the first place.  From what I'm beginning to understand, based on 
your reply, FreeRADIUS opens a port that isn't necessary for basic 
functionality as part of its default installation.  That sort of 
behavior should at least raise an eyebrow if not a few red flags.


>> Not sure why I would need this either.  Based on the 'secret' string's
>> value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm
>> not 100% confident about that.
>
>    No.  Clients have nothing to do with proxies.
>
>    Do you plan on testing your server?  If so, that entry can be useful.

The default client secrets(s) should be different from the default proxy 
secret(s) to avoid confusion for first-time users.

I missed that it is there for testing.  And I see why:

#######################################################################
#
#  Define RADIUS clients (usually a NAS, Access Point, etc.).

#
#  Defines a RADIUS client.
#
#  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,
#  to allow testing of the server after an initial installation.  If you
#  are not going to be permitting RADIUS queries from localhost, we suggest
#  that you delete, or comment out, this entry.
#
#

#
#  Each client has a "short name" that is used to distinguish it from
#  other clients.
#
#  In version 1.x, the string after the word "client" was the IP
#  address of the client.  In 2.0, the IP address is configured via
#  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x
#  format is still accepted.
#


>> Most of that seems irrelevant to EAP-TLS.  A certificate isn't exactly a
>> password - it can expire, but the message "Password Has Expired" seems
>> like it will never appear (or, if it does, it'll be confusing to a
>> user).  I'm probably not going to use the 'logintime' features.  'exec'
>> might be useful since I probably will use the external 'openssl' based
>> 'verify' method in 'eap.conf' (unless someone can suggest a better
>> approach).
>
>    So... delete the things you're not using.  That's why there are
> comments explaining what those modules do.  So you can learn, and think
> for yourself.

Again, defaults exist for a reason.  The reasons for the defaults are 
what I'm actually after here.


>>   Some of the stuff in 'eap.conf' is confusing.  I've commented
>> out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left
>> uncommented and set 'default_eap_type = tls', but I'm not sure if that
>> is all I need to do.  Documentation on setting up an "EAP-TLS only"
>> RADIUS server is limited.
>
> I mean it's nonsense to *expect*
> that there will be lots of documentation on setting up your exact
> desired configuration.

All I was asking here was if commenting out those protocols in 
'eap.conf' was all I have to do to disable them?  A simple confirmation 
would suffice.


>   You're looking for reassurance that editing the config files won't
> cause the server to explode in flaming metal.  It won't.  Edit them.

I admit that there is a little of that, but I'm just trying to save 
myself from breaking things too badly by understanding why the defaults 
are the defaults before I go and blow away large portions of config.

-- 
Thomas Hruska
CubicleSoft President

I've got great, time saving software that you might find useful.

http://cubiclesoft.com/

More information about the Freeradius-Users mailing list