Setting up EAP-TLS as the ONLY authentication mechanism?

Alan DeKok aland at deployingradius.com
Sun Mar 24 13:59:53 CET 2013


Thomas Hruska wrote:
> Nowhere in there does it explain why proxying is on by default.  It just
> says that it can be turned off.  I want to know why it is on by default
> in the first place.  From what I'm beginning to understand, based on
> your reply, FreeRADIUS opens a port that isn't necessary for basic
> functionality as part of its default installation.  That sort of
> behavior should at least raise an eyebrow if not a few red flags.

  You're unhappy that your questions got push-back.  So you're pushing
back in return.  However... you know little or nothing about RADIUS, and
I've been doing this for 20 years.

  I won't explain why there are no "red flags" in the default
configuration.  I *will* explain that it's unproductive for newbies to
second-guess experts.

> The default client secrets(s) should be different from the default proxy
> secret(s) to avoid confusion for first-time users.

  So as a first-time user, you know more about their needs than someone
who's done this for 20 years?

> I missed that it is there for testing.  And I see why:

  Don't quote the config files at me.  I wrote them.  This just comes
across as condescending, and lecturing me about the text I wrote.

> Again, defaults exist for a reason.  The reasons for the defaults are
> what I'm actually after here.

  The reasons are given in the documentation, web pages, "man" pages,
config files, etc.  The defaults enable the server to do the Right Thing
in the widest possible set of circumstances.

  i.e. so that newbies like you can get the server running with minimal
work.

  Your response is to insult the developers, by claiming that the
defaults "raise red flags".

  Stop it.  It's ignorant and annoying.

> All I was asking here was if commenting out those protocols in
> 'eap.conf' was all I have to do to disable them?  A simple confirmation
> would suffice.

  I answered that.

>>   You're looking for reassurance that editing the config files won't
>> cause the server to explode in flaming metal.  It won't.  Edit them.
> 
> I admit that there is a little of that, but I'm just trying to save
> myself from breaking things too badly by understanding why the defaults
> are the defaults before I go and blow away large portions of config.

  The defaults are documented.  See the comments in the config files.

  The procedure for editing the defaults is documented.  See "man radiusd".

  It's really not rocket science.  You're looking for emotional
reassurance that the server won't explode.  I'm not going to give it.
Instead, you should follow the documentation, and follow the documented
methods for editing the configuration.  If something goes wrong, it's
just text.  Put the old config back, and start again.


  And after doing this for 20 years, your message is typical of a
particular class of newbie.  The existing documentation is too
complicated.  Yet you don't ask a specific question.  Instead, you have
a long complicated post complaining about many things, and asking many
questions.  When I point this out, you start putting me down.

  I've had hundreds of conversations like this, and it's always annoying.

  Your entire approach is wrong.  Read "man radiusd".  That documents
the correct approach.

  Alan DeKok.


More information about the Freeradius-Users mailing list