Help in moving FR1.x to 3.x EAP-TLS setup.

Gregory Sloop gregs at
Wed May 29 17:48:35 CEST 2019

So, I've got a current FR setup, version 2.2.8 [although the last time I've done this was under a 1.x FR version - these configs are under an upgraded distro version - so the newer FR setups are somewhat confusing for me. This is all under Ubuntu - this setup started life as a 12.04 (IIRC) setup, and got upgraded to 16.04. I'm now trying to migrate it to a fresh setup on 18.04.]

I'm trying to move it to a new FR setup under 3.0.16.

It's a Wifi WPA setup - using EAP-TLS with certificates/key only. [Not PEAP etc.]

And I'm having trouble. Rather than have you look at a debug - perhaps I should start here.
I'm not sure I'm doing the right steps for setup/configuration.

Moving clients.conf is obvious.
[Though I've added the newer "ipaddr" to them.]

I have created new certs/keys/ca - and I'm pretty sure I've done that correctly. [Lets assume I have for now - we'll come back to that later, if needed. I can always test with the old certs/keys too, because I know those work. I'm using GNUTLS to handle CA/Cert/Key creation, and I know I need to add the OID's for "server" and "client" as applicable. And I've verified these are present in the relevant certs.]

Now, to where I'm quite unsure...
I need to edit the EAP configuration in ./mods-available, and create a link to it in ./mods-enabled - right?

Here's what is in my current eap [in FR 2.2.8] - though the eap.conf file isn't in the mods-available directory, it's in the main FR config dir. I suppose I could probably leave it that way, but I'm trying to do this the "new" way.

eap {
        default_eap_type = tls
        timer_expire     = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 4096

        #md5 {
        #leap {
        #gtc {
        #        auth_type = PAP

        tls {
                certdir = ${confdir}/certs
                cadir = ${confdir}/certs
                #private_key_password = whatever
                private_key_file = ${certdir}/radius.somedom.local.key
                certificate_file = ${certdir}/radius.somedom.local.pem
                CA_file = ${cadir}/ca.pem
                dh_file = ${certdir}/dh
                random_file = /dev/urandom
                CA_path = ${cadir}
                check_crl = yes
                cipher_list = "DEFAULT"
                make_cert_command = "${certdir}/bootstrap"

                cache {
                      enable = no
                      lifetime = 24 # hours
                      max_entries = 255
                verify {

        #ttls {
        #        default_eap_type = md5
        #        copy_request_to_tunnel = no
        #        use_tunneled_reply = no
        #        virtual_server = "inner-tunnel"

        #peap {
        #        default_eap_type = mschapv2
        #        copy_request_to_tunnel = no
        #        use_tunneled_reply = no
        #        virtual_server = "inner-tunnel"

        #mschapv2 {

Though to start, I think I'll avoid checking a CRL - just to keep things simple.
Do, I just essentially paste this config straight into the new one? 
[I don't think so - there's a new section "tls-config tls-common" and I'm unsure about that.]

I don't believe there are any changes I made previously [or need to make now] to radiusd.conf?
Is there anything else I need to do? 

Thanks in advance!


More information about the Freeradius-Users mailing list