Anyone got a working sites-available/tls file for FR 4.0- ?

Alex Sharaz alex.sharaz at york.ac.uk
Fri Dec 2 17:31:10 CET 2016


Spoke too soon

Unpacked and built FR 4.0 from git

symbolic linked tls, default,.buffered-sql and inner-tunnel from
sites-available to sites-enabled

ran

 /usr/local/sbin/radiusd -d /etc/freeradius -X -l
/var/log/freeradius/radius.log > /var/log/freeradius/radius.log

and got

 Error : /etc/freeradius/sites-enabled/tls[7]: Listeners of type
'auth+acct' MUST be defined in a server.

Edited  tls to add server tls {....}

and got

 Dec  2 16:20:56 2016 : Debug :      cipher_list = "DEFAULT"
Fri Dec  2 16:20:56 2016 : Debug :      cipher_server_preference = yes
Fri Dec  2 16:20:56 2016 : Debug :      allow_renegotiation = no
Fri Dec  2 16:20:56 2016 : Debug :      require_client_cert = yes
Fri Dec  2 16:20:56 2016 : Debug :      ecdh_curve = "prime256v1"
Fri Dec  2 16:20:56 2016 : Debug :     cache {
Fri Dec  2 16:20:56 2016 : Debug :      lifetime = 24
Fri Dec  2 16:20:56 2016 : Debug :      verify = no
Fri Dec  2 16:20:56 2016 : Error : /etc/freeradius/sites-enabled/tls[253]:
Configuration pair "enable" is deprecated

commented out

           #enable = no

ran again

Fri Dec  2 16:21:51 2016 : Debug :      auto_chain = yes
Fri Dec  2 16:21:51 2016 : Debug :      check_crl = no
Fri Dec  2 16:21:51 2016 : Debug :      cipher_list = "DEFAULT"
Fri Dec  2 16:21:51 2016 : Debug :      cipher_server_preference = yes
Fri Dec  2 16:21:51 2016 : Debug :      allow_renegotiation = no
Fri Dec  2 16:21:51 2016 : Debug :      require_client_cert = yes
Fri Dec  2 16:21:51 2016 : Debug :      ecdh_curve = "prime256v1"
Fri Dec  2 16:21:51 2016 : Debug :     cache {
Fri Dec  2 16:21:51 2016 : Debug :      lifetime = 24
Fri Dec  2 16:21:51 2016 : Debug :      verify = no
Fri Dec  2 16:21:51 2016 : Error : /etc/freeradius/sites-enabled/tls[269]:
Configuration pair "max_entries" is deprecated

commented out
  #
                      #  The maximum number of entries in the
                      #  cache.  Set to "0" for "infinite".
                      #
                      #  This could be set to the number of users
                      #  who are logged in... which can be a LOT.
                      #
                      #max_entries = 255

and got

Fri Dec  2 16:22:46 2016 : Debug :     staple {
Fri Dec  2 16:22:46 2016 : Debug :      enable = no
Fri Dec  2 16:22:46 2016 : Debug :      override_cert_url = no
Fri Dec  2 16:22:46 2016 : Debug :      use_nonce = yes
Fri Dec  2 16:22:46 2016 : Debug :      timeout = 0
Fri Dec  2 16:22:46 2016 : Debug :      softfail = no
Fri Dec  2 16:22:46 2016 : Debug :     }
Fri Dec  2 16:22:46 2016 : Debug :    }
Fri Dec  2 16:22:46 2016 : Debug :    limit {
Fri Dec  2 16:22:46 2016 : Debug :      max_connections = 16
Fri Dec  2 16:22:46 2016 : Debug :      lifetime = 0
Fri Dec  2 16:22:46 2016 : Debug :      idle_timeout = 30
Fri Dec  2 16:22:46 2016 : Debug :    }
Fri Dec  2 16:22:46 2016 : Debug :      clients = "radsec"
Fri Dec  2 16:22:46 2016 : Error : /etc/freeradius/sites-enabled/tls[8]:
Failed to find clients radsec {...}

but further down in  tls we have

listen {
        ipaddr = *
        port = 2083

        #
        #  TCP and TLS sockets can accept Access-Request and
        #  Accounting-Request on the same socket.
        #
        #       auth      = only Access-Request
        #       acct      = only Accounting-Request
        #       auth+acct = both
        #
        type = auth+acct

        # For now, only TCP transport is allowed.
        proto = tcp

        # Send packets to the default virtual server
        virtual_server = default

        clients = radsec

        #
        #  Connection limiting for sockets with "proto = tcp".
        #
        limit {
       limit {
              #
              #  Limit the number of simultaneous TCP connections to the
socket
              #
              #  The default is 16.
              #  Setting this to 0 means "no limit"
              max_connections = 16

              #  The per-socket "max_requests" option does not exist.

              #
              #  The lifetime, in seconds, of a TCP connection.  After
              #  this lifetime, the connection will be closed.
              #
              #  Setting this to 0 means "forever".
              lifetime = 0

              #
              #  The idle timeout, in seconds, of a TCP connection.
              #  If no packets have been received over the connection for
              #  this time, the connection will be closed.
              #
              #  Setting this to 0 means "no timeout".
              #
              #  We STRONGLY RECOMMEND that you set an idle timeout.
              #
              idle_timeout = 30
        }

        #  This is *exactly* the same configuration as used by the EAP-TLS
        #  module.  It's OK for testing, but for production use it's a good
        #  idea to use different server certificates for EAP and for RADIUS
        #  transport.
        #
        #  If you want only one TLS configuration for multiple sockets,
        #  then we suggest putting "tls { ...}" into radiusd.conf.
        #  The subsection below can then be changed into a reference:
        #
        #       tls = ${tls}
        #
        #  Which means "the tls sub-section is not here, but instead is in
        #  the top-level section called 'tls'".
        #
        #  If you have multiple tls configurations, you can put them into
        #  sub-sections of a top-level "tls" section.  There's no need to
        #  call them all "tls".  You can then use:
        #
        #       tls = ${tls.site1}
        #
        #  to refer to the "site1" sub-section of the "tls" section.
        #
        tls {
                private_key_password = whatever
                private_key_file = ${certdir}/server.pem

                #  If Private key & Certificate are located in
                #  the same file, then private_key_file &
                #  certificate_file must contain the same file
                #  name.
                #
                #  If ca_file (below) is not used, then the
                #  certificate_file below MUST include not
                #  only the server certificate, but ALSO all
.....
                       #  in the directory when the server starts.
        #               tmpdir = /tmp/radiusd

                        #  The command used to verify the client cert.
                        #  We recommend using the OpenSSL command-line
                        #  tool.
                        #
                        #  The ${..ca_path} text is a reference to
                        #  the ca_path variable defined above.
                        #
                        #  The %{TLS-Client-Cert-Filename} is the name
                        #  of the temporary file containing the cert
                        #  in PEM format.  This file is automatically
                        #  deleted by the server when the command
                        #  returns.
        #               client = "/path/to/openssl verify -CApath
${..ca_path} %{TLS-Client-Cert-Filename}"
                }
        }
}

clients radsec {
        client 127.0.0.1 {
                ipaddr = 127.0.0.1

                #
                #  Ensure that this client is TLS *only*.
                #
                proto = tls
.......

                #
                #  TCP clients can have any shared secret.
                #
                #  TLS clients MUST have the shared secret
                #  set to "radsec".  Or, for "proto = tls",
                #  you can omit the secret, and it will
                #  automatically be set to "radsec".
                #
                secret = radsec

                #
                #  You can also use a "limit" section here.
                #  See raddb/clients.conf for examples.
                #
                #  Note that BOTH limits are applied.  You
                #  should therefore set the "listen" limits
                #  higher than the ones for each individual
                #  client.
                #
        }
}

home_server tls {
        ipaddr = 127.0.0.1
        port = 2083
.....


I know you said I didn't need the server blockbut without it can't even get
as far as I did with the standard raddb configs

A


On 2 December 2016 at 13:52, Alex Sharaz <alex.sharaz at york.ac.uk> wrote:

> So it does
> thx
> A
>
> On 2 December 2016 at 13:47, Alan DeKok <aland at deployingradius.com> wrote:
>
>>
>> > On Dec 2, 2016, at 8:04 AM, Alex Sharaz <alex.sharaz at york.ac.uk> wrote:
>> >
>> > Once I wrapped the supplied example in "server tls {....} "
>>
>>   Why would you do that?
>>
>> > Get a "Failed
>> > to find clients radsec {..} message" even though the config is there.
>>
>>   The example works as-is.  You don't need to wrap it in a "server tls"
>> section.
>>
>>   Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>
>
>


More information about the Freeradius-Users mailing list