Re: Setting up EAP-TLS as the ONLY authentication mechanism?
All that stuff is on by default to ensure that people who want more than a really dumb and minimal server can get up and running without having to try to find what combination of stuff needs to be enabled. So, eg proxying is enabled ..whats the issue? Unless you have actually edited proxy.conf to do something it won't do anything , there's no entry in clients.conf other than localhost too, so even if you had the required ports open to the world, nothing is going to happen. If all you want is EAP-TLS auth then its very easy to minimise to that configmuch much easier than having to learn the server better and trying to get there from a minimal config that doesn't work out if the box (ask those who have tried doing it that way...look at mailing list history for those that stripped the config out before then trying to get things to work) This isn't Apache, which does have a whole load of things on and can get you p0wned on port 80 if you have that open to the world alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
Thomas Hruska wrote: Nowhere in there does it explain why proxying is on by default. It just says that it can be turned off. I want to know why it is on by default in the first place. From what I'm beginning to understand, based on your reply, FreeRADIUS opens a port that isn't necessary for basic functionality as part of its default installation. That sort of behavior should at least raise an eyebrow if not a few red flags. You're unhappy that your questions got push-back. So you're pushing back in return. However... you know little or nothing about RADIUS, and I've been doing this for 20 years. I won't explain why there are no red flags in the default configuration. I *will* explain that it's unproductive for newbies to second-guess experts. The default client secrets(s) should be different from the default proxy secret(s) to avoid confusion for first-time users. So as a first-time user, you know more about their needs than someone who's done this for 20 years? I missed that it is there for testing. And I see why: Don't quote the config files at me. I wrote them. This just comes across as condescending, and lecturing me about the text I wrote. Again, defaults exist for a reason. The reasons for the defaults are what I'm actually after here. The reasons are given in the documentation, web pages, man pages, config files, etc. The defaults enable the server to do the Right Thing in the widest possible set of circumstances. i.e. so that newbies like you can get the server running with minimal work. Your response is to insult the developers, by claiming that the defaults raise red flags. Stop it. It's ignorant and annoying. All I was asking here was if commenting out those protocols in 'eap.conf' was all I have to do to disable them? A simple confirmation would suffice. I answered that. You're looking for reassurance that editing the config files won't cause the server to explode in flaming metal. It won't. Edit them. I admit that there is a little of that, but I'm just trying to save myself from breaking things too badly by understanding why the defaults are the defaults before I go and blow away large portions of config. The defaults are documented. See the comments in the config files. The procedure for editing the defaults is documented. See man radiusd. It's really not rocket science. You're looking for emotional reassurance that the server won't explode. I'm not going to give it. Instead, you should follow the documentation, and follow the documented methods for editing the configuration. If something goes wrong, it's just text. Put the old config back, and start again. And after doing this for 20 years, your message is typical of a particular class of newbie. The existing documentation is too complicated. Yet you don't ask a specific question. Instead, you have a long complicated post complaining about many things, and asking many questions. When I point this out, you start putting me down. I've had hundreds of conversations like this, and it's always annoying. Your entire approach is wrong. Read man radiusd. That documents the correct approach. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
On 3/24/2013 5:59 AM, Alan DeKok wrote: Thomas Hruska wrote: Nowhere in there does it explain why proxying is on by default. It just says that it can be turned off. I want to know why it is on by default in the first place. From what I'm beginning to understand, based on your reply, FreeRADIUS opens a port that isn't necessary for basic functionality as part of its default installation. That sort of behavior should at least raise an eyebrow if not a few red flags. You're unhappy that your questions got push-back. So you're pushing back in return. However... you know little or nothing about RADIUS, and I've been doing this for 20 years. And after doing this for 20 years, your message is typical of a particular class of newbie. The existing documentation is too complicated. Yet you don't ask a specific question. Instead, you have a long complicated post complaining about many things, and asking many questions. When I point this out, you start putting me down. I've had hundreds of conversations like this, and it's always annoying. Your entire approach is wrong. Read man radiusd. That documents the correct approach. The difference from your response to Arran's response to my questions is night and day. He was moderately polite while you were and are downright rude. I've met grizzled veteran developers before. You are one of those. As a developer myself, I know I've got two options: 1) Fend off the newbies constantly. 2) Write better documentation. With a dash of humor in the mix. If it isn't fun, then it isn't worth reading (or writing) it. I've found that the latter creates a MUCH better experience for everyone (i.e. the nuisances go away - hey, I've been where you are at as well). I've also found that *I* have to actually write the documentation because no one else will do it for me (e.g. Wikis don't really work for software). And it isn't a FAQ, it is real documentation naturally covering a wide range of common (and even uncommon) topics. I always include a documentation cycle in my software releases - and it takes about a week to two weeks to complete, but it is so worth it. Whenever a user asks a question, I check the documentation to make sure I wrote something about it, write a quick paragraph in a polite response, and link to the right place, knowing someone else will find the post + reply via a Google search later and won't ask the same question as a result. That's the other key factor - making sure stuff can be found via Google as a top result on the official site. Google is your first line of defense against newbies and, when you host the content yourself, you control that line of defense. On a different note, I've also found that telling people how long I've been writing software does nothing beneficial. You just get into a yelling match with those who have been writing software longer. Anyway, just a few things I've picked up over the years. I can tell when I'm not wanted, so I'll just drop off this list. Later. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Thomas Hruska CubicleSoft President I've got great, time saving software that you might find useful. http://cubiclesoft.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
Thomas Hruska wrote: The difference from your response to Arran's response to my questions is night and day. He was moderately polite while you were and are downright rude. As always, my first response is polite and answers your questions. I only get blunt when people argue with me. I'll also note that you've conveniently deleted all of my other points. I'll take that as evidence you agree with them. That's the other key factor - making sure stuff can be found via Google as a top result on the official site. Google is your first line of defense against newbies and, when you host the content yourself, you control that line of defense. Another lecture about how superior you are. On a different note, I've also found that telling people how long I've been writing software does nothing beneficial. You just get into a yelling match with those who have been writing software longer. If you've been writing software for a long time, you should have been able to figure out how to edit the default config. I can tell when I'm not wanted, so I'll just drop off this list. Later. I have no patience for people who are ignorant about a subject, and lecture me on it. This list is for people who want to solve RADIUS problems. If you focus on that, you're OK. If you complain about red flags because of your RADIUS ignorance, you will get told off, and rightly so. It's rude to be condescending to experts, and I won't have it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
Blah blah. But you don't say what the issue is with the documentation...in fact your issue was with the default config and your requirements...which are actually both fully documented in the config. I don't see why you've dropped in from nowhere, thrown your ego around and then claim to be leaving. Expect help/advice in the future? Because if so, you've gone about it the wrong way really alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting up EAP-TLS as the ONLY authentication mechanism?
I want to set up FreeRADIUS using EAP-TLS only. I'm running Ubuntu Server 12.04.2 LTS here with the packaged build of FreeRADIUS from the default Ubuntu/Debian apt-get package repository. I'm finding junk scattered all over the place for configuring this thing (typical), so my first objective is to get FreeRADIUS into a locked-down state so that 'freeradius -X' doesn't return things that bother me (i.e. pared back to minimal functionality first). Since I only want EAP-TLS, output lines like the following bother me (I've inlined my concerns): FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 24 2012 at 17:58:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... ... including configuration file /etc/freeradius/modules/pam ... including configuration file /etc/freeradius/modules/chap ... ^^^ Does FreeRADIUS really need to load all of those config files to function? That is, does it hurt in any way to load all of the module config files? From what I can tell, they don't seem to be relevant until they are instantiated later on, but I would appreciate confirmation. radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } ^ What does this do? I don't think I need a proxy server. My setup is just a consumer router plus a single Ubuntu box with FreeRADIUS on it. home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = status-server ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } ^ All of this seems to be in proxy.conf. It doesn't look like I need any of it but I'm not sure if it is safe to get rid of it/comment it out. Again, this will be the only RADIUS server in the network and my understanding is that proxies are for forwarding requests to other RADIUS servers. Given my setup, can I safely comment out the '$INCLUDE proxy.conf' line in 'radiusd.conf'? radiusd: Loading Clients client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other } ^ Not sure why I would need this either. Based on the 'secret' string's value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm not 100% confident about that. radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating module exec from file /etc/freeradius/modules/exec exec { wait = no input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module expr from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module expiration from file /etc/freeradius/modules/expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating module logintime from file /etc/freeradius/modules/logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } ^^ Most of that seems irrelevant to EAP-TLS. A certificate isn't exactly a password - it can expire, but the message Password Has Expired seems like it will never appear (or, if it does, it'll be confusing to a user). I'm probably not going to use the 'logintime' features. 'exec' might be useful since I probably will use the external 'openssl' based 'verify' method in 'eap.conf' (unless someone can suggest a better approach). radiusd: Loading Virtual Servers ... ^^ Even when 'default' was the only thing in 'sites-enabled', it loaded a bunch of stuff other than EAP-TLS. I currently have nothing in 'sites-enabled' right now, but would like insight into what the configuration file should be to just do EAP-TLS. radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 0 } listen { type = acct ipaddr = * port = 0 } Listening on authentication address * port
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
Thomas Hruska wrote: Since I only want EAP-TLS, output lines like the following bother me (I've inlined my concerns): ... Does FreeRADIUS really need to load all of those config files to function? No. That's why they config files are editable. So you can edit them. That is, does it hurt in any way to load all of the module config files? I don't understand the question. What can hurt about loading config files What does this do? Read raddb/proxy.conf. This is documented. Extensively. All of this seems to be in proxy.conf. It doesn't look like I need any of it but I'm not sure if it is safe to get rid of it/comment it out. Read proxy.conf. Again, this will be the only RADIUS server in the network and my understanding is that proxies are for forwarding requests to other RADIUS servers. Given my setup, can I safely comment out the '$INCLUDE proxy.conf' line in 'radiusd.conf'? This is documented. The comments above the line $INCLUDE proxy.conf tell you. And again, the reason the config files are text is so that you can edit them. What's the worst that can happen? If something goes wrong... just put the text back. Not sure why I would need this either. Based on the 'secret' string's value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm not 100% confident about that. No. Clients have nothing to do with proxies. Do you plan on testing your server? If so, that entry can be useful. Most of that seems irrelevant to EAP-TLS. A certificate isn't exactly a password - it can expire, but the message Password Has Expired seems like it will never appear (or, if it does, it'll be confusing to a user). I'm probably not going to use the 'logintime' features. 'exec' might be useful since I probably will use the external 'openssl' based 'verify' method in 'eap.conf' (unless someone can suggest a better approach). So... delete the things you're not using. That's why there are comments explaining what those modules do. So you can learn, and think for yourself. Even when 'default' was the only thing in 'sites-enabled', it loaded a bunch of stuff other than EAP-TLS. I currently have nothing in 'sites-enabled' right now, but would like insight into what the configuration file should be to just do EAP-TLS. Read raddb/sites-enabled/default. Honestly, there is a *lot* of documentation on this included with the config files. I see no reason to cut paste it here. Instead, you should find the time to readit. What do I need to do to set up FreeRADIUS so that it only supports EAP-TLS? Configure only EAP, and EAP-TLS. Some of the stuff in 'eap.conf' is confusing. I've commented out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left uncommented and set 'default_eap_type = tls', but I'm not sure if that is all I need to do. Documentation on setting up an EAP-TLS only RADIUS server is limited. Nonsense. I don't mean that there's lots of documentation on setting up your exact desired configuration. I mean it's nonsense to *expect* that there will be lots of documentation on setting up your exact desired configuration. What is the best method of setting it up so that only the router can communicate with the RADIUS server on port 1812? Firewalls. Then, making sure that the server is only listening on port 1812 Most of these questions are The server does A and B, but I only want it to do A. What do I do? And the answer is edit the config files so that it doesn't do B. You're looking for reassurance that editing the config files won't cause the server to explode in flaming metal. It won't. Edit them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
On 3/23/2013 3:54 PM, Alan DeKok wrote: Thomas Hruska wrote: snip Read proxy.conf. [Sigh] I have. It doesn't make sense to me. Why enable it as a default if it isn't necessary for basic functionality? Hopefully you can see how the average user might be confused, Hey the authors enabled this by default. Maybe there is a very important reason for that. I'll go ahead and leave it alone because they know better. But I see an open port and wonder if it is actually necessary. So I figured I would ask to obtain some knowledge of why it is enabled by default, hence the original questions. Here's the text from 'radiusd.conf': # PROXY CONFIGURATION # # proxy_requests: Turns proxying of RADIUS requests on or off. # # The server has proxying turned on by default. If your system is NOT # set up to proxy requests to another server, then you can turn proxying # off here. This will save a small amount of resources on the server. # # If you have proxying turned off, and your configuration files say # to proxy a request, then an error message will be logged. # # To disable proxying, change the yes to no, and comment the # $INCLUDE line. # # allowed values: {no, yes} # Nowhere in there does it explain why proxying is on by default. It just says that it can be turned off. I want to know why it is on by default in the first place. From what I'm beginning to understand, based on your reply, FreeRADIUS opens a port that isn't necessary for basic functionality as part of its default installation. That sort of behavior should at least raise an eyebrow if not a few red flags. Not sure why I would need this either. Based on the 'secret' string's value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm not 100% confident about that. No. Clients have nothing to do with proxies. Do you plan on testing your server? If so, that entry can be useful. The default client secrets(s) should be different from the default proxy secret(s) to avoid confusion for first-time users. I missed that it is there for testing. And I see why: ### # # Define RADIUS clients (usually a NAS, Access Point, etc.). # # Defines a RADIUS client. # # '127.0.0.1' is another name for 'localhost'. It is enabled by default, # to allow testing of the server after an initial installation. If you # are not going to be permitting RADIUS queries from localhost, we suggest # that you delete, or comment out, this entry. # # # # Each client has a short name that is used to distinguish it from # other clients. # # In version 1.x, the string after the word client was the IP # address of the client. In 2.0, the IP address is configured via # the ipaddr or ipv6addr fields. For compatibility, the 1.x # format is still accepted. # Most of that seems irrelevant to EAP-TLS. A certificate isn't exactly a password - it can expire, but the message Password Has Expired seems like it will never appear (or, if it does, it'll be confusing to a user). I'm probably not going to use the 'logintime' features. 'exec' might be useful since I probably will use the external 'openssl' based 'verify' method in 'eap.conf' (unless someone can suggest a better approach). So... delete the things you're not using. That's why there are comments explaining what those modules do. So you can learn, and think for yourself. Again, defaults exist for a reason. The reasons for the defaults are what I'm actually after here. Some of the stuff in 'eap.conf' is confusing. I've commented out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left uncommented and set 'default_eap_type = tls', but I'm not sure if that is all I need to do. Documentation on setting up an EAP-TLS only RADIUS server is limited. I mean it's nonsense to *expect* that there will be lots of documentation on setting up your exact desired configuration. All I was asking here was if commenting out those protocols in 'eap.conf' was all I have to do to disable them? A simple confirmation would suffice. You're looking for reassurance that editing the config files won't cause the server to explode in flaming metal. It won't. Edit them. I admit that there is a little of that, but I'm just trying to save myself from breaking things too badly by understanding why the defaults are the defaults before I go and blow away large portions of config. -- Thomas Hruska CubicleSoft President I've got great, time saving software that you might find useful. http://cubiclesoft.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
On 23 Mar 2013, at 23:32, Thomas Hruska thru...@cubiclesoft.com wrote: On 3/23/2013 3:54 PM, Alan DeKok wrote: Thomas Hruska wrote: snip Read proxy.conf. [Sigh] I have. It doesn't make sense to me. Why enable it as a default if it isn't necessary for basic functionality? Hopefully you can see how the average user might be confused, Hey the authors enabled this by default. Maybe there is a very important reason for that. Nope, just means more things work with less tweaking. I'll go ahead and leave it alone because they know better. But I see an open port and wonder if it is actually necessary. So I figured I would ask to obtain some knowledge of why it is enabled by default, hence the original questions. Here's the text from 'radiusd.conf': # PROXY CONFIGURATION # # proxy_requests: Turns proxying of RADIUS requests on or off. # # The server has proxying turned on by default. If your system is NOT # set up to proxy requests to another server, then you can turn proxying # off here. This will save a small amount of resources on the server. # # If you have proxying turned off, and your configuration files say # to proxy a request, then an error message will be logged. # # To disable proxying, change the yes to no, and comment the # $INCLUDE line. # # allowed values: {no, yes} # Nowhere in there does it explain why proxying is on by default. It just says that it can be turned off. I want to know why it is on by default in the first place. From what I'm beginning to understand, based on your reply, FreeRADIUS opens a port that isn't necessary for basic functionality as part of its default installation. That sort of behavior should at least raise an eyebrow if not a few red flags. Why is authentication on by default, you might just want to do accounting? why is accounting on by default, you might just want to do authentication? It's on by default because it does no harm having it on by default, and makes it easier for people with no knowledge of the server to use the server. You just add a realm, and it works, instead of having to toggle different bits of config to make it work. I think the configs could probably do with trimming a bit, but it does not make sense to disable these things by default, as there are no security implications, just a slight increase in memory usage. Not sure why I would need this either. Based on the 'secret' string's value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm not 100% confident about that. No. Clients have nothing to do with proxies. Do you plan on testing your server? If so, that entry can be useful. The default client secrets(s) should be different from the default proxy secret(s) to avoid confusion for first-time users. I missed that it is there for testing. And I see why: That sentence is ambiguous. Most of that seems irrelevant to EAP-TLS. A certificate isn't exactly a password - it can expire, but the message Password Has Expired seems like it will never appear (or, if it does, it'll be confusing to a user). I'm probably not going to use the 'logintime' features. 'exec' might be useful since I probably will use the external 'openssl' based 'verify' method in 'eap.conf' (unless someone can suggest a better approach). So... delete the things you're not using. That's why there are comments explaining what those modules do. So you can learn, and think for yourself. Again, defaults exist for a reason. The reasons for the defaults are what I'm actually after here. Again it's so things just work. For rlm_logintime, if you read the code: https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_logintime/rlm_logintime.c#L157 If there's no Login-Time attribute in the request it does nothing. If there is a Login-Time attribute in the request it ensures the user can only login before that time. It means you can add Login-Time in a users file, and it'll just work, instead if hunting through the server to figure out where to turn on the Login-Time module. Some of the stuff in 'eap.conf' is confusing. I've commented out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left uncommented and set 'default_eap_type = tls', but I'm not sure if that is all I need to do. Documentation on setting up an EAP-TLS only RADIUS server is limited. I mean it's nonsense to *expect* that there will be lots of documentation on setting up your exact desired configuration. All I was asking here was if commenting out those protocols in 'eap.conf' was all I have to do to disable them? A simple confirmation would suffice. Yes. It's all you have to do to disable them. You're looking for reassurance that editing the config files won't cause the server to explode in flaming metal. It won't. Edit them. I admit that there is a little of that, but I'm just trying to save