Anyone got a working sites-available/tls file for FR 4.0- ?
Alex Sharaz
alex.sharaz at york.ac.uk
Fri Dec 2 17:31:10 CET 2016
Spoke too soon
Unpacked and built FR 4.0 from git
symbolic linked tls, default,.buffered-sql and inner-tunnel from
sites-available to sites-enabled
ran
/usr/local/sbin/radiusd -d /etc/freeradius -X -l
/var/log/freeradius/radius.log > /var/log/freeradius/radius.log
and got
Error : /etc/freeradius/sites-enabled/tls[7]: Listeners of type
'auth+acct' MUST be defined in a server.
Edited tls to add server tls {....}
and got
Dec 2 16:20:56 2016 : Debug : cipher_list = "DEFAULT"
Fri Dec 2 16:20:56 2016 : Debug : cipher_server_preference = yes
Fri Dec 2 16:20:56 2016 : Debug : allow_renegotiation = no
Fri Dec 2 16:20:56 2016 : Debug : require_client_cert = yes
Fri Dec 2 16:20:56 2016 : Debug : ecdh_curve = "prime256v1"
Fri Dec 2 16:20:56 2016 : Debug : cache {
Fri Dec 2 16:20:56 2016 : Debug : lifetime = 24
Fri Dec 2 16:20:56 2016 : Debug : verify = no
Fri Dec 2 16:20:56 2016 : Error : /etc/freeradius/sites-enabled/tls[253]:
Configuration pair "enable" is deprecated
commented out
#enable = no
ran again
Fri Dec 2 16:21:51 2016 : Debug : auto_chain = yes
Fri Dec 2 16:21:51 2016 : Debug : check_crl = no
Fri Dec 2 16:21:51 2016 : Debug : cipher_list = "DEFAULT"
Fri Dec 2 16:21:51 2016 : Debug : cipher_server_preference = yes
Fri Dec 2 16:21:51 2016 : Debug : allow_renegotiation = no
Fri Dec 2 16:21:51 2016 : Debug : require_client_cert = yes
Fri Dec 2 16:21:51 2016 : Debug : ecdh_curve = "prime256v1"
Fri Dec 2 16:21:51 2016 : Debug : cache {
Fri Dec 2 16:21:51 2016 : Debug : lifetime = 24
Fri Dec 2 16:21:51 2016 : Debug : verify = no
Fri Dec 2 16:21:51 2016 : Error : /etc/freeradius/sites-enabled/tls[269]:
Configuration pair "max_entries" is deprecated
commented out
#
# The maximum number of entries in the
# cache. Set to "0" for "infinite".
#
# This could be set to the number of users
# who are logged in... which can be a LOT.
#
#max_entries = 255
and got
Fri Dec 2 16:22:46 2016 : Debug : staple {
Fri Dec 2 16:22:46 2016 : Debug : enable = no
Fri Dec 2 16:22:46 2016 : Debug : override_cert_url = no
Fri Dec 2 16:22:46 2016 : Debug : use_nonce = yes
Fri Dec 2 16:22:46 2016 : Debug : timeout = 0
Fri Dec 2 16:22:46 2016 : Debug : softfail = no
Fri Dec 2 16:22:46 2016 : Debug : }
Fri Dec 2 16:22:46 2016 : Debug : }
Fri Dec 2 16:22:46 2016 : Debug : limit {
Fri Dec 2 16:22:46 2016 : Debug : max_connections = 16
Fri Dec 2 16:22:46 2016 : Debug : lifetime = 0
Fri Dec 2 16:22:46 2016 : Debug : idle_timeout = 30
Fri Dec 2 16:22:46 2016 : Debug : }
Fri Dec 2 16:22:46 2016 : Debug : clients = "radsec"
Fri Dec 2 16:22:46 2016 : Error : /etc/freeradius/sites-enabled/tls[8]:
Failed to find clients radsec {...}
but further down in tls we have
listen {
ipaddr = *
port = 2083
#
# TCP and TLS sockets can accept Access-Request and
# Accounting-Request on the same socket.
#
# auth = only Access-Request
# acct = only Accounting-Request
# auth+acct = both
#
type = auth+acct
# For now, only TCP transport is allowed.
proto = tcp
# Send packets to the default virtual server
virtual_server = default
clients = radsec
#
# Connection limiting for sockets with "proto = tcp".
#
limit {
limit {
#
# Limit the number of simultaneous TCP connections to the
socket
#
# The default is 16.
# Setting this to 0 means "no limit"
max_connections = 16
# The per-socket "max_requests" option does not exist.
#
# The lifetime, in seconds, of a TCP connection. After
# this lifetime, the connection will be closed.
#
# Setting this to 0 means "forever".
lifetime = 0
#
# The idle timeout, in seconds, of a TCP connection.
# If no packets have been received over the connection for
# this time, the connection will be closed.
#
# Setting this to 0 means "no timeout".
#
# We STRONGLY RECOMMEND that you set an idle timeout.
#
idle_timeout = 30
}
# This is *exactly* the same configuration as used by the EAP-TLS
# module. It's OK for testing, but for production use it's a good
# idea to use different server certificates for EAP and for RADIUS
# transport.
#
# If you want only one TLS configuration for multiple sockets,
# then we suggest putting "tls { ...}" into radiusd.conf.
# The subsection below can then be changed into a reference:
#
# tls = ${tls}
#
# Which means "the tls sub-section is not here, but instead is in
# the top-level section called 'tls'".
#
# If you have multiple tls configurations, you can put them into
# sub-sections of a top-level "tls" section. There's no need to
# call them all "tls". You can then use:
#
# tls = ${tls.site1}
#
# to refer to the "site1" sub-section of the "tls" section.
#
tls {
private_key_password = whatever
private_key_file = ${certdir}/server.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If ca_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
.....
# in the directory when the server starts.
# tmpdir = /tmp/radiusd
# The command used to verify the client cert.
# We recommend using the OpenSSL command-line
# tool.
#
# The ${..ca_path} text is a reference to
# the ca_path variable defined above.
#
# The %{TLS-Client-Cert-Filename} is the name
# of the temporary file containing the cert
# in PEM format. This file is automatically
# deleted by the server when the command
# returns.
# client = "/path/to/openssl verify -CApath
${..ca_path} %{TLS-Client-Cert-Filename}"
}
}
}
clients radsec {
client 127.0.0.1 {
ipaddr = 127.0.0.1
#
# Ensure that this client is TLS *only*.
#
proto = tls
.......
#
# TCP clients can have any shared secret.
#
# TLS clients MUST have the shared secret
# set to "radsec". Or, for "proto = tls",
# you can omit the secret, and it will
# automatically be set to "radsec".
#
secret = radsec
#
# You can also use a "limit" section here.
# See raddb/clients.conf for examples.
#
# Note that BOTH limits are applied. You
# should therefore set the "listen" limits
# higher than the ones for each individual
# client.
#
}
}
home_server tls {
ipaddr = 127.0.0.1
port = 2083
.....
I know you said I didn't need the server blockbut without it can't even get
as far as I did with the standard raddb configs
A
On 2 December 2016 at 13:52, Alex Sharaz <alex.sharaz at york.ac.uk> wrote:
> So it does
> thx
> A
>
> On 2 December 2016 at 13:47, Alan DeKok <aland at deployingradius.com> wrote:
>
>>
>> > On Dec 2, 2016, at 8:04 AM, Alex Sharaz <alex.sharaz at york.ac.uk> wrote:
>> >
>> > Once I wrapped the supplied example in "server tls {....} "
>>
>> Why would you do that?
>>
>> > Get a "Failed
>> > to find clients radsec {..} message" even though the config is there.
>>
>> The example works as-is. You don't need to wrap it in a "server tls"
>> section.
>>
>> Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>
>
>
More information about the Freeradius-Users
mailing list