Help in moving FR1.x to 3.x EAP-TLS setup.

Gregory Sloop gregs at
Wed May 29 22:55:15 CEST 2019

>> I'm not sure I'm doing the right steps for setup/configuration.

AD>   See

AD>   That contains detailed instructions for (a) starting from a
AD> default config, and (b) having EAP / WiFi auth work.

>> Here's what is in my current eap [in FR 2.2.8] - though the eap.conf file isn't in the mods-available directory, it's in the main FR config dir. I suppose I could probably leave it that way, but I'm trying to do this the "new" way.

AD>   Please don't move your v2 config to v3.  Start with the default
AD> configuration in v3, in a fresh v3 installation.  Then, gradually
AD> re-create the *functionality* piece by piece, with testing.

The web page you point to isn't very helpful for EAP-TLS - at least the config portion, which is what I'm having issues with.

But that said, I did get it working with the "old" eap config.

However, I need some guidance in putting that into the new config layout/style.
It looks like the eap section is pretty much unchanged, except for hollowing out tls{} and moving it all into tls-common{} and pointing the tls section at tls-common.

Otherwise the config appears unchanged, really.

So, does this look about right?
[Obviously substituting the proper values for my setup.]
eap {
	default_eap_type = tls
	timer_expire     = 60
	ignore_unknown_eap_types = no
	cisco_accounting_username_bug = no
	max_sessions = ${max_requests}

	tls-config tls-common {
		private_key_password = whatever
		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
		ca_file = /etc/ssl/certs/ca-certificates.crt
		#auto_chain = yes
		#psk_identity = "test"
		#psk_hexphrase = "036363823"
		dh_file = ${certdir}/dh
		#random_file = /dev/urandom
		#fragment_size = 1024
		#include_length = yes
		#check_crl = yes
		#check_all_crl = yes
		ca_path = ${cadir}
		#allow_expired_crl = no
		#check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
		#check_cert_cn = %{User-Name}
		cipher_list = "DEFAULT"
		cipher_server_preference = no
		#disable_tlsv1_2 = no
		#disable_tlsv1_1 = no
		#disable_tlsv1 = no
		#tls_min_version = "1.0"
		#tls_max_version = "1.2"
		ecdh_curve = "prime256v1"
		cache {
			enable = no
			lifetime = 24 # hours
			#name = "EAP module"
			#persist_dir = "${logdir}/tlscache"
	tls {
		# Point to the common TLS configuration
		tls = tls-common


More information about the Freeradius-Users mailing list