Setting up EAP-TLS as the ONLY authentication mechanism?

Arran Cudbard-Bell a.cudbardb at
Sun Mar 24 06:05:58 CET 2013

On 23 Mar 2013, at 23:32, Thomas Hruska <thruska at> wrote:

> On 3/23/2013 3:54 PM, Alan DeKok wrote:
>> Thomas Hruska wrote:
> <snip>
>>   Read proxy.conf.
> [Sigh]  I have.  It doesn't make sense to me.  Why enable it as a default if it isn't necessary for basic functionality?  Hopefully you can see how the average user might be confused, "Hey the authors enabled this by default.  Maybe there is a very important reason for that.

Nope, just means more things work with less tweaking.

>  I'll go ahead and leave it alone because they know better."  But I see an open port and wonder if it is actually necessary.  So I figured I would ask to obtain some knowledge of why it is enabled by default, hence the original questions.  Here's the text from 'radiusd.conf':
> #
> #  proxy_requests: Turns proxying of RADIUS requests on or off.
> #
> #  The server has proxying turned on by default.  If your system is NOT
> #  set up to proxy requests to another server, then you can turn proxying
> #  off here.  This will save a small amount of resources on the server.
> #
> #  If you have proxying turned off, and your configuration files say
> #  to proxy a request, then an error message will be logged.
> #
> #  To disable proxying, change the "yes" to "no", and comment the
> #  $INCLUDE line.
> #
> #  allowed values: {no, yes}
> #
> Nowhere in there does it explain why proxying is on by default.  It just says that it can be turned off.  I want to know why it is on by default in the first place.  From what I'm beginning to understand, based on your reply, FreeRADIUS opens a port that isn't necessary for basic functionality as part of its default installation.  That sort of behavior should at least raise an eyebrow if not a few red flags.

Why is authentication on by default, you might just want to do accounting? why is accounting on by default, you might just want to do authentication? It's on by default because it does no harm having it on by default, and makes it easier for people with no knowledge of the server to use the server.

You just add a realm, and it works, instead of having to toggle different bits of config to make it work.

I think the configs could probably do with trimming a bit, but it does not make sense to disable these things by default, as there are no security implications, just a slight increase in memory usage.

>>> Not sure why I would need this either.  Based on the 'secret' string's
>>> value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm
>>> not 100% confident about that.
>>   No.  Clients have nothing to do with proxies.
>>   Do you plan on testing your server?  If so, that entry can be useful.
> The default client secrets(s) should be different from the default proxy secret(s) to avoid confusion for first-time users.
> I missed that it is there for testing.  And I see why:

That sentence is ambiguous.

>>> Most of that seems irrelevant to EAP-TLS.  A certificate isn't exactly a
>>> password - it can expire, but the message "Password Has Expired" seems
>>> like it will never appear (or, if it does, it'll be confusing to a
>>> user).  I'm probably not going to use the 'logintime' features.  'exec'
>>> might be useful since I probably will use the external 'openssl' based
>>> 'verify' method in 'eap.conf' (unless someone can suggest a better
>>> approach).
>>   So... delete the things you're not using.  That's why there are
>> comments explaining what those modules do.  So you can learn, and think
>> for yourself.
> Again, defaults exist for a reason.  The reasons for the defaults are what I'm actually after here.

Again it's so things just work. For rlm_logintime, if you read the code:

If there's no Login-Time attribute in the request it does nothing. If there is a Login-Time attribute in the request it ensures the user can only login before that time.

It means you can add Login-Time in a users file, and it'll just work, instead if hunting through the server to figure out where to turn on the Login-Time module.

>>>  Some of the stuff in 'eap.conf' is confusing.  I've commented
>>> out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left
>>> uncommented and set 'default_eap_type = tls', but I'm not sure if that
>>> is all I need to do.  Documentation on setting up an "EAP-TLS only"
>>> RADIUS server is limited.
>> I mean it's nonsense to *expect*
>> that there will be lots of documentation on setting up your exact
>> desired configuration.
> All I was asking here was if commenting out those protocols in 'eap.conf' was all I have to do to disable them?  A simple confirmation would suffice.

Yes. It's all you have to do to disable them.

>>  You're looking for reassurance that editing the config files won't
>> cause the server to explode in flaming metal.  It won't.  Edit them.
> I admit that there is a little of that, but I'm just trying to save myself from breaking things too badly by understanding why the defaults are the defaults before I go and blow away large portions of config.

Don't look at what the default configs do, learn how the server processes requests

Once you figure it out, feel free to contribute back more documentation.

Create a new virtual server just containing

authorize {


authenticate {




and get the files module working, using rad_test to send requests. Run the server with -X look at and understand all the debugging output. Feel free to mention any that you think doesn't make sense and why.

You will probably have an easier time doing this with 3.0 (build from master branch), and the server config is rather a lot more consistent and debug output is improved.

Then when you eat what's happening there, get EAP-MD5 working then try EAP-TLS.

At each stage make sure you fully understand the debug output and what's going on. When in doubt read the code. It's all up there on GitHub. There's even a where you can search for structures and types.


More information about the Freeradius-Users mailing list