Dynamic Client and TCP/TLS

Alan DeKok aland at deployingradius.com
Sat May 11 22:40:51 CEST 2019

On May 11, 2019, at 1:08 PM, Karim Benayed <benayed at gmail.com> wrote:
> Hi,  I am trying to setup Dynamic Client configuration where Redis is used
> to retrieve the secret, setup the FreeRADIUS-Client attributes and redirect
> for authentication.
> The model is working perfectly for UDP with Dynamic Clients and for TCP/TLS
> non-dynamic clients.
> The moment I enable Dynamic Clients against the TCP/TLS configuration, I
> get the following error:

  In order to do TCP/TLS, the server has to do *full* TLS negotiation.  Only then can it read any packets.

  The short answer is that it's not set up to do dynamic clients for TCP/TLS.  Changing that isn't trivial.

  The simple solution is to just forbid dynamic clients when TCP/TLS is used.

  For TCP/TLS tho, you don't *need* dynamic clients.  Just allow 0/0, and the require a known client certificate.  If the certificate is OK, you don't really care where the packets come from.

  Alan DeKok.

More information about the Freeradius-Users mailing list