Re: Setting up EAP-TLS as the ONLY authentication mechanism?
On 3/24/2013 5:59 AM, Alan DeKok wrote: Thomas Hruska wrote: Nowhere in there does it explain why proxying is on by default. It just says that it can be turned off. I want to know why it is on by default in the first place. From what I'm beginning to understand, based on your reply, FreeRADIUS opens a port that isn't necessary for basic functionality as part of its default installation. That sort of behavior should at least raise an eyebrow if not a few red flags. You're unhappy that your questions got push-back. So you're pushing back in return. However... you know little or nothing about RADIUS, and I've been doing this for 20 years. And after doing this for 20 years, your message is typical of a particular class of newbie. The existing documentation is too complicated. Yet you don't ask a specific question. Instead, you have a long complicated post complaining about many things, and asking many questions. When I point this out, you start putting me down. I've had hundreds of conversations like this, and it's always annoying. Your entire approach is wrong. Read man radiusd. That documents the correct approach. The difference from your response to Arran's response to my questions is night and day. He was moderately polite while you were and are downright rude. I've met grizzled veteran developers before. You are one of those. As a developer myself, I know I've got two options: 1) Fend off the newbies constantly. 2) Write better documentation. With a dash of humor in the mix. If it isn't fun, then it isn't worth reading (or writing) it. I've found that the latter creates a MUCH better experience for everyone (i.e. the nuisances go away - hey, I've been where you are at as well). I've also found that *I* have to actually write the documentation because no one else will do it for me (e.g. Wikis don't really work for software). And it isn't a FAQ, it is real documentation naturally covering a wide range of common (and even uncommon) topics. I always include a documentation cycle in my software releases - and it takes about a week to two weeks to complete, but it is so worth it. Whenever a user asks a question, I check the documentation to make sure I wrote something about it, write a quick paragraph in a polite response, and link to the right place, knowing someone else will find the post + reply via a Google search later and won't ask the same question as a result. That's the other key factor - making sure stuff can be found via Google as a top result on the official site. Google is your first line of defense against newbies and, when you host the content yourself, you control that line of defense. On a different note, I've also found that telling people how long I've been writing software does nothing beneficial. You just get into a yelling match with those who have been writing software longer. Anyway, just a few things I've picked up over the years. I can tell when I'm not wanted, so I'll just drop off this list. Later. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Thomas Hruska CubicleSoft President I've got great, time saving software that you might find useful. http://cubiclesoft.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting up EAP-TLS as the ONLY authentication mechanism?
1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. ^^ Again, I don't think I need a proxy and I'm not sure what the 'accounting' port is for. My policy is that fewer open ports is better. So do I really want/need all of this? A few additional questions of where I'm currently a bit stuck: What do I need to do to set up FreeRADIUS so that it only supports EAP-TLS? Some of the stuff in 'eap.conf' is confusing. I've commented out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left uncommented and set 'default_eap_type = tls', but I'm not sure if that is all I need to do. Documentation on setting up an EAP-TLS only RADIUS server is limited. What is the best method of setting it up so that only the router can communicate with the RADIUS server on port 1812? Sorry for the long post. -- Thomas Hruska CubicleSoft President I've got great, time saving software that you might find useful. http://cubiclesoft.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
On 3/23/2013 3:54 PM, Alan DeKok wrote: Thomas Hruska wrote: snip Read proxy.conf. [Sigh] I have. It doesn't make sense to me. Why enable it as a default if it isn't necessary for basic functionality? Hopefully you can see how the average user might be confused, Hey the authors enabled this by default. Maybe there is a very important reason for that. I'll go ahead and leave it alone because they know better. But I see an open port and wonder if it is actually necessary. So I figured I would ask to obtain some knowledge of why it is enabled by default, hence the original questions. Here's the text from 'radiusd.conf': # PROXY CONFIGURATION # # proxy_requests: Turns proxying of RADIUS requests on or off. # # The server has proxying turned on by default. If your system is NOT # set up to proxy requests to another server, then you can turn proxying # off here. This will save a small amount of resources on the server. # # If you have proxying turned off, and your configuration files say # to proxy a request, then an error message will be logged. # # To disable proxying, change the yes to no, and comment the # $INCLUDE line. # # allowed values: {no, yes} # Nowhere in there does it explain why proxying is on by default. It just says that it can be turned off. I want to know why it is on by default in the first place. From what I'm beginning to understand, based on your reply, FreeRADIUS opens a port that isn't necessary for basic functionality as part of its default installation. That sort of behavior should at least raise an eyebrow if not a few red flags. Not sure why I would need this either. Based on the 'secret' string's value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm not 100% confident about that. No. Clients have nothing to do with proxies. Do you plan on testing your server? If so, that entry can be useful. The default client secrets(s) should be different from the default proxy secret(s) to avoid confusion for first-time users. I missed that it is there for testing. And I see why: ### # # Define RADIUS clients (usually a NAS, Access Point, etc.). # # Defines a RADIUS client. # # '127.0.0.1' is another name for 'localhost'. It is enabled by default, # to allow testing of the server after an initial installation. If you # are not going to be permitting RADIUS queries from localhost, we suggest # that you delete, or comment out, this entry. # # # # Each client has a short name that is used to distinguish it from # other clients. # # In version 1.x, the string after the word client was the IP # address of the client. In 2.0, the IP address is configured via # the ipaddr or ipv6addr fields. For compatibility, the 1.x # format is still accepted. # Most of that seems irrelevant to EAP-TLS. A certificate isn't exactly a password - it can expire, but the message Password Has Expired seems like it will never appear (or, if it does, it'll be confusing to a user). I'm probably not going to use the 'logintime' features. 'exec' might be useful since I probably will use the external 'openssl' based 'verify' method in 'eap.conf' (unless someone can suggest a better approach). So... delete the things you're not using. That's why there are comments explaining what those modules do. So you can learn, and think for yourself. Again, defaults exist for a reason. The reasons for the defaults are what I'm actually after here. Some of the stuff in 'eap.conf' is confusing. I've commented out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left uncommented and set 'default_eap_type = tls', but I'm not sure if that is all I need to do. Documentation on setting up an EAP-TLS only RADIUS server is limited. I mean it's nonsense to *expect* that there will be lots of documentation on setting up your exact desired configuration. All I was asking here was if commenting out those protocols in 'eap.conf' was all I have to do to disable them? A simple confirmation would suffice. You're looking for reassurance that editing the config files won't cause the server to explode in flaming metal. It won't. Edit them. I admit that there is a little of that, but I'm just trying to save myself from breaking things too badly by understanding why the defaults are the defaults before I go and blow away large portions of config. -- Thomas Hruska CubicleSoft President I've got great, time saving software that you might find useful. http://cubiclesoft.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html