Help in moving FR1.x to 3.x EAP-TLS setup.

Alan DeKok aland at
Thu May 30 03:59:19 CEST 2019

On May 29, 2019, at 6:44 PM, Gregory Sloop <gregs at> wrote:
> AD>   If you use eapol_test as described in that page, it's simple to
> AD> add client configurations for EAP-TLS.  In v3, sample
> AD> configuration for eapol_test are in src/tests/eap*.conf
> I don't see any of that ^^^ in Ubuntu.

  The source code *is* available on github, and via "tar" files from the main web site.

> I'm puzzled. Perhaps FR3 from sources is way different than FR3 in Ubuntu 18.04 - but I'm pretty sure you'll need an eap[.conf] cofigured in the /mods-available and linked in the /mods-enabled directory to make this work.

  Yes.  But the default configuration does that.

> Thus, you can't just create a CA/Cert/Key and EAP-TLS 'just works' as per - at least not with Ubuntu.

  Maybe Ubuntu broke the default configuration, but I doubt it.

> I'm fine with having to configure eap, but at least on Ubuntu it won't work unless you configure EAP and put a link [or the actual config] in 
> /etc/freeradius/3.0/mods-enabled. 

  That link should be added in the default configuration. 

> Probably I'll try to work up a how-to for Ubuntu 18.04 - since the WPA-Enterprise/Radius howto on the wiki is at least 10 years old, and doesn't reflect the realities of 2.x or 3.x, or anything newer than Windows XP. 

  The examples on the Wiki are from 3.0.  They work.  The main issue is that Debian systems recently switched the config file from /etc/freeradius to /etc/freeradius/3.0.  But that's really the only change.

> I stand a few of these up, perhaps every 10 years or the like - so I'm never going to become a FR guru. Having something modestly straight-forward, without having to wade through a bunch of documentation would be helpful.

  Again, the default configuration works.  Read the configuration files, the comments, and it will be pretty straightforward.

  What doesn't work is copying config files from v2 to v3.  That's just impossible across major version upgrades.

  What will work is following my guide, at least for TTLS and PEAP.  What will work is using the eapol_test configs from the source tree.

  Alan DeKok.

More information about the Freeradius-Users mailing list