Radsec config query

Alex Sharaz alex.sharaz at york.ac.uk
Fri Jul 21 13:47:47 CEST 2017 

What I've got is

listen {
        ipv6addr = *
        port = 2083

        #
        #  TCP and TLS sockets can accept Access-Request and
        #  Accounting-Request on the same socket.
        #
        #       auth      = only Access-Request
        #       acct      = only Accounting-Request
        #       auth+acct = both
        #
        type = auth+acct

        # For now, only TCP transport is allowed.
        proto = tcp

        # Send packets to the default virtual server
        virtual_server = default

        clients = radsec
       #
        #  Connection limiting for sockets with "proto = tcp".
        #
        limit {
              #
              #  Limit the number of simultaneous TCP connections to the
socket
              #
              #  The default is 16.
              #  Setting this to 0 means "no limit"
              max_connections = 16

              #  The per-socket "max_requests" option does not exist.

              #
              #  The lifetime, in seconds, of a TCP connection.  After
              #  this lifetime, the connection will be closed.
              #
              #  Setting this to 0 means "forever".
              lifetime = 0

              #
              #  The idle timeout, in seconds, of a TCP connection.
              #  If no packets have been received over the connection for
              #  this time, the connection will be closed.
              #
              #  Setting this to 0 means "no timeout".
              #
              #  We STRONGLY RECOMMEND that you set an idle timeout.
              #
              idle_timeout = 30
        }

        #  This is *exactly* the same configuration as used by the EAP-TLS
        #  module.  It's OK for testing, but for production use it's a good
        #  idea to use different server certificates for EAP and for RADIUS
        #  transport.
        #
        #  If you want only one TLS configuration for multiple sockets,
        #  then we suggest putting "tls { ...}" into radiusd.conf.
        #  The subsection below can then be changed into a reference:
        #
        #       tls = ${tls}
        #
       #  Which means "the tls sub-section is not here, but instead is in
        #  the top-level section called 'tls'".
        #
        #  If you have multiple tls configurations, you can put them into
        #  sub-sections of a top-level "tls" section.  There's no need to
        #  call them all "tls".  You can then use:
        #
        #       tls = ${tls.site1}
        #
        #  to refer to the "site1" sub-section of the "tls" section.
        #
        tls = ${tls.prodn2}
}

clients radsec {
        client 2a03:b0c0:1:a1::a9f:8001 {
                ipv6addr = 2a03:b0c0:1:a1::a9f:8001
                proto = tls
                secret = radsec
        }
        client 127.0.0.1 {
                ipaddr = 127.0.0.1
                proto = tls
                secret = radsec
        }
}
.......


On 21 July 2017 at 12:39, Alan DeKok <aland at deployingradius.com> wrote:

> On Jul 21, 2017, at 6:34 AM, Alex Sharaz <alex.sharaz at york.ac.uk> wrote:
> > FR fails to start up with error
> >
> > Fri Jul 21 10:19:24 2017 : Error:
> > /usr/local/etc/freeradius/sites-enabled/tls[87]: Client does not have
> the
> > same TLS configuration as the listener
> > Fri Jul 21 10:19:24 2017 : Error:
> > /usr/local/etc/freeradius/sites-enabled/tls[7]: Failed to load clients
> for
> > this listen section
>
>   The listen section has tls enabled, but the client does not.
>
> > but all I've done is move the tls{..} contents into radiusd.conf tls
> > {prodn2 {...}} and added a tls=${tls.prodn2} statement.
>
>   Hmm... maybe it's getting confused about tls as a sub-section versus a
> reference.
>
>   I'll take a look....
>
>   Alan DeKok.
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html

More information about the Freeradius-Users mailing list